How to Comply With the EU’s GDPR in 10 Steps

The European Union’s (EU) General Data Protection Regulation (GDPR) is a single EU-wide consumer data privacy law that strengthens consumer data rights while introducing significant data protection requirements and obligations for individuals and businesses that collect and process personal data.

Since going into effect in 2018, the GDPR has clarified data privacy law requirements and consolidated enforcement powers across EU member states – with severe penalties for noncompliance. Follow the 10-step checklist below to establish and maintain a GDPR compliance program.

[Download the full GDPR compliance checklist as a PDF.]

Who must comply with GDPR?

GDPR compliance requirements apply to companies and businesses that collect or process EU-originating personal data while offering goods or services to the data subject or monitoring their digital behavior – regardless of whether that data processing takes place within the EU.

This means that companies based outside of the EU may be subject to the GDPR when their data processing activities are linked to established business activities within the EU. For example, one single sales agent or employee operating in the EU may trigger GDPR if the processing of EU-originating personal data is in the context of business activities established within the EU.

What data is protected by the GDPR?

The GDPR outlines specific rights and protections for the personal data collected from individuals in the EU. Personal data is any information that can be directly or indirectly linked to an individual. The GDPR specifies additional requirements for sensitive personal data.

What happens if you violate GDPR?

EU member states must appoint a supervisory authority (or authorities) to monitor GDPR compliance within their country. These supervisory bodies can fine noncompliant companies up to 4% of global revenue or €20 million for personal data breaches, whichever is higher.

GDPR program compliance checklist

These steps will help businesses ensure they remain GDPR compliant and avoid hefty penalties.

[Download the full GDPR compliance checklist as a PDF.]

Step 1: Designate a Data Protection Officer (DPO)

If required, designate a DPO with the requisite knowledge, documented responsibilities, and sufficient authority, budget, and access (reporting to the most senior level of management).

Step 2: Establish project team or GDPR working group

Identify stakeholders to execute measures to assist the DPO in assessing, developing, remediating, and maintaining the GDPR program.

Step 3: Deliver awareness and training

Keep employees, management, and as-needed third parties aware of GDPR requirements through periodic notices and training on your GDPR program.

Step 4: Evidence governance and accountability

Review and update privacy/data protection policies, procedures, and management reporting to assure compliance with GDPR.

Document compliance with the GDPR’s seven governing privacy principles.

Step 5: Maintain privacy notices and consents

Review how you seek, record, and manage consents, and update as needed to assure concise, simple, transparent, and timely consents that can be readily accessed and withdrawn.

Review privacy notices to confirm GDPR-compliant content, delivery, and timing, and update as needed.

Step 6: Assess and inventory data processing activities

Regularly inventory data flow sources and conduct periodic data protection impact assessments for data processing likely to be high risk to a data subject.

Implement appropriate technical and organizational measures to show you have considered and integrated data protection into your processing activities.

Step 7: Maintain data breach procedures

Maintain procedures for handling data breaches to ensure they are detected, reported, investigated, and managed, as well as recorded in a timely manner.

Step 8: Comply with data subjects’ rights

Assure your processing controls comply with data subjects’ rights to access, rectify, erasure, object, and data portability and to lodge a complaint, among other rights.

Step 9: Maintain compliant third-party engagements

Screen third parties and maintain engagements documented via contracts that integrate GDPR program requirements.

Step 10: Maintain program

Monitor and audit your GDPR program regularly for compliance and update as needed to reflect changes in regulations, operations, feedback, and review results.

[Download the full GDPR compliance checklist as a PDF.]

Navigate complex GDPR requirements and avoid costly penalties with Bloomberg Law

The far-reaching scope of the GDPR means companies around the world must take action to comply if they wish to do business in EU member states. Stay on top of the dynamic field of GDPR regulations and other major consumer data privacy laws around the world with expert analysis, comprehensive coverage, news, and practice tools from Bloomberg Law. Request a demo to see it for yourself.

Recommended for you

See Bloomberg Law in action

From live events to in-depth reports, discover singular thought leadership from Bloomberg Law. Our network of expert analysts is always on the case – so you can make yours. Request a demo to see it for yourself.