
The Ultimate Guide to
General Data Protection Regulation (GDPR)
What is GDPR?
The EU enacted the General Data Protection Regulation, or GDPR, to protect their citizens’ data and give them the right to know what data providers collect about them. It also lays out strict rules for reporting breaches and how to store and protect data.
Any business with customers who are citizens of a European Union country is subject to GDPR, and the GDPR is one of the harsher regulations in terms of punishment. It allows for a tiered approach based on the seriousness of the violation, with the maximum penalty being fines up to €20 million or 4% of their worldwide annual revenue for the prior financial year — whichever is greater.
The General Data Protection Regulation, or GDPR, is one of the strictest privacy laws in the world, requiring organizations inside and outside of Europe to secure the personal data of European Union (EU) citizens collected, processed, or stored by the organization. GDPR went into effect on May 25th, 2018, to safeguard EU citizens’ data and uphold the right to know exactly what data is collected by providers. GDPR also lays out strict rules for reporting breaches and how to store and protect data.
Definition of Personal Data Under GDPR
The GDPR defines Personal Data as
“any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
GDPR Privacy Principles
GDPR’s data privacy principles originate from the EU’s 1995 Data Protection Directive and were implemented on May 25, 2018, as technology advanced and data breaches became more common. The GDPR establishes seven key data privacy principles:
Article 5 establishes the fundamental principles relating to the processing of personal data, while other articles in this section address specific aspects of lawful processing and consent requirements.
GDPR’s principles require that personal data be processed lawfully, fairly, and transparently, with data subjects informed about processing activities. Organizations must ensure data is collected for specified, explici,t and legitimate purposes, is adequate and relevant to those purposes, and is kept secure through appropriate technical and organizational measures.
GDPR Obligations for Controllers and Data Processors
Data controllers are people, agencies, organizations or authorities who oversee the processing of personal data, determining the purpose for and means of processing this information. For example, if you’re an e-commerce company that sells goods online to EU citizens and you’d like to collect consumers’ physical and email addresses to notify them of shipments and send them promotional emails, you’re considered a data controller under GDPR.
Controllers are responsible for implementing appropriate technical and organizational measures to ensure that data processing is performed in accordance with GDPR regulations and enforcing appropriate data protection policies when necessary. Controllers must implement data protection by default measures, ensuring that only personal data necessary for each specific purpose of the processing is processed.
Data processors work by specific contracts to process data on behalf of controllers. Processors work under the strict orders of controllers, processing data only on the documented instructions of a controller.
Processors must assist controllers in meeting all compliance obligations, such as deleting or returning all personal data to the controller after the end of the provision of services relating to processing, and deleting existing copies unless Union or Member State law requires storage. In the same e-commerce example, the data processor is the email marketing software company that’s used by the e-commerce company to send promotional emails to EU customers. Because it is processing data that belongs to EU data subjects, even if the email tool company is incorporated in the U.S., it still needs to abide by GDPR.
What is the process for becoming GDPR Compliant?
Becoming GDPR compliant involves establishing executive leadership and forming cross-functional task forces that include all departments handling personal data, while conducting comprehensive risk assessments and creating detailed documentation of their data processing activities. Organizations must then implement appropriate technical and organizational measures to mitigate identified risks, establish incident response procedures capable of meeting the 72-hour breach notification requirement, and maintain ongoing monitoring processes to ensure continuous compliance. Compliance can boost consumer confidence and create competitive advantages.
Establish executive urgency and leadership from top management to prioritize cyber preparedness and compliance with global data hygiene standards. Next, form a cross-functional task force that includes marketing, finance, sales, operations, and any group that collects, analyzes, or uses customers’ personal information. It’s important to recognize that IT alone cannot meet GDPR requirements and involve all relevant stakeholders in the compliance process.
Conduct periodic risk assessments to understand what data you store and process on EU citizens and identify associated risks. Complete a full IT infrastructure inventory to get a comprehensive picture of your entire IT environment, then uncover all shadow IT applications that might be collecting and storing personal information. Finally, identify all applications, including smaller point solutions, that represent the greatest compliance risk.
Take inventory of risky applications to identify where personal data is being processed, who is processing it, and how it is being processed. Document compliance progress to demonstrate accountability, as required by GDPR’s accountability principle. Then, maintain comprehensive documentation showing how your organization has become compliant.
Hire or appoint a Data Protection Officer (DPO) if required for your organization. Consider using a virtual DPO who works as a consultant for multiple organizations if a full-time position is not necessary. Ensure the DPO has appropriate authority and resources to fulfill their responsibilities.
Create and maintain a data protection plan, reviewing and updating existing plans to ensure GDPR alignment. Implement identified risk mitigation measures, which typically involves revising existing security measures. Address risks from employees accessing personal information through mobile devices and personal apps. Determine appropriate security levels to protect data based on risk assessments, and finally, review plans periodically to ensure continued effectiveness.
Test incident response plans to ensure adequate breach reporting capabilities, and then prepare systems and processes to report breaches within the required 72-hour timeframe. Develop response procedures to minimize damage when incidents occur and train staff on proper incident response protocols.
Set up ongoing assessment processes to monitor compliance status and establish continuous improvement procedures to maintain GDPR compliance over time. Consider adding mandatory GDPR policy observances to employee contracts and implement incentive systems or penalties to encourage compliance behavior. Regularly review and update compliance measures as business operations change over time.
GDPR Compliance Checklist
Achieving and maintaining compliance with GDPR requires strategic organization and diligence. Working with a compliance checklist simplifies the process, ensuring you check the boxes and minimize your business’s exposure to regulatory penalties. Below is a checklist of categories and activities all organizations should perform to help achieve and maintain GDPR compliance.
Be lawful and transparent
Maintain a current list of all data processing activities and conduct protection impact assessments when processing is likely to result in a high risk to the rights and freedoms of individuals. Your list should include the type of data processed, the purpose of processing, who has access to the data, security controls in place, and plans for deletion of the data. Be able to provide a “lawful basis” for your processing, and be sure to notify the subject of data collection and the legal justification behind it.
Be secure
Practice “data protection by design and by default,” including the implementation of appropriate technology (encryption) and organizational measures (delete data after use) to ensure data safety at all times. Institute an internal data security policy and privacy and security training for employees, and a process to notify authorities and subjects in the event of a breach.
Delegate responsibility
Assign roles and responsibilities for GDPR compliance and appoint a Data Protection Officer if required under Article 37, such as when you are a public authority, when your core activities involve large-scale systematic monitoring of individuals, or when your core activities involve large-scale processing of special categories of personal data. Sign a data processing agreement contract with all third parties who process data on your behalf, and if you’re located outside the EU, be sure to delegate a representative within an EU state.
Uphold data privacy rights
Keep subject data current and make it easy for subjects to view, update, delete, transfer, or stop the processing of their data without undue delay and within one month of receipt of the request, as required by Article 12. Read this to learn more about how to abide by data access requests under GDPR.
GDPR breaches and fines
Failing to comply with GDPR can result in significant monetary fines in addition to brand damage and reputational harm. GDPR views certain violations as more severe than others, so penalties are scalable based on the offense. Article 83 discusses fines, stating that less severe violations (usually involving the articles governing controllers and processors or certification and monitoring bodies) can receive penalties of up to 10 million Euros or 2% of annual global revenue, whichever is greater. More severe violations (involving basic principles for processing, conditions for consent, and data subjects’ rights, including the right to be forgotten) can receive fines up to 20 million Euros or 4% of annual global revenue, whichever is greater.
Data protection regulators in each European country administer GDPR fines. How much you will pay will depend on ten criteria, including:
Gravity and nature
The overall picture of the infringement. What happened, how it happened, why it happened, the number of people affected, the damage they suffered, and how long it took to resolve.
Intention
Whether the infringement was intentional or the result of negligence.
Mitigation
Whether the firm took any actions to mitigate the damage suffered by people affected by the infringement.
Precautionary measures
The amount of technical and organizational preparation the firm had previously implemented to comply with the GDPR.
History
Any relevant previous infringements, including infringements under the Data Protection Directive (not just the GDPR), as well as compliance with past administrative corrective actions under the GDPR.
Cooperation
Whether the firm cooperated with the supervisory authority to discover and remedy the infringement.
Data category
What type of personal data the infringement affects.
Notification
Whether the firm or a designated third party proactively reported the infringement to the supervisory authority.
Certification
Whether the firm followed approved codes of conduct or was previously certified.
Aggravating/mitigating factors
Any other issues arising from circumstances of the case, including financial benefits gained or losses avoided as a result of the infringement.
Where do most companies struggle with compliance, and what are the most common GDPR violations?
Communicating openly about data processing with subjects, establishing a legal basis for processing, and implementing proper security measures seem to provide the most challenging GDPR hurdles for today’s companies. Common violations include non-compliance with general data processing principles (often resulting from a lack of communication with the subject), insufficient legal basis for data processing, and inadequate technological or organizational measures to ensure information security.
In 2020, Google received a fine of 50 million, and Telecom £27 million for failing to disclose how they processed a subject’s data in addition to lacking a legal basis for processing the data. Another global giant, H&M, was fined £35 million for lacking the legal grounds to process a customer’s personal data.
How does GDPR fit into your overall compliance program?
Your organization may need to abide by GDPR, country-specific privacy regulations, and state-specific regulations. There may be additional industry data protection regulations you have to follow if you serve the healthcare sector or handle financial data. How do you keep track of all these disparate yet somewhat similar regulations? The key is to develop an enterprise-wide approach to continuously managing privacy risks.
If you are operating in multiple geographic locations, taking a transactional (I.e. one regulation at a time) approach to privacy isn’t sustainable or cost-effective. You’ll likely end up duplicating efforts as different teams, different regions, or business units work in silos.
A regulatory-agnostic approach begins with your organization identifying its core priorities for privacy and then selecting the controls and frameworks, focusing on addressing these prioritized principles.
The NIST Privacy Framework can provide an excellent foundation for building and mapping your controls to comply with specific regulatory requirements. Be sure to clearly define roles and responsibilities for framework implementation and create a centralized, single-source-of-truth evidence repository when taking a regulatory-agnostic approach to compliance management.
10 General Tips and Strategies for Implementing GDPR
1. Raise awareness
GDPR compliance awareness must be ingrained in your company’s culture. Start by implementing an in-house training program to educate all employees on “privacy protection by design and default” and their specific roles and responsibilities in achieving GDPR compliance.
2. Assign roles
Compliance takes time, work, and a team effort, so spread the responsibility across your organization by assigning specific roles to every employee. Designate a Data Protection Officer, even if one isn’t required, because having a dedicated leader overseeing your GDPR compliance effort is critical to staying on track.
3. Identify your data
Create a comprehensive list of all data your organization stores and processes, where they are located, who has access, how it’s processed, and the legal basis for processing.
4. Regularly review data governing practices
Start by ensuring you have a clear and current in-house privacy policy outlining all rules, guidelines, and procedures in place to safeguard personal identifiable information (PII). Make sure your policy and governing practices stress accountability and transparency with all data processing activities, paying close attention to practices involving children’s data.
5. Practice security by design and default
Keeping subject PII safe is critical for GDPR compliance, so be sure to implement both technological and organizational measures to ensure the security of all your data. Encryption is an example of a control that all teams should employ. If data is encrypted and a breach occurs, the law only requires you to notify the Information Commission Office (ICO) rather than each owner of the data. Remember to conduct regular data protection impact assessments to monitor the effectiveness of your security controls and compliance management program.
6. Address breaches quickly and openly
Be sure to have a clearly defined process in place to rapidly detect, investigate, report, and remediate breaches. This process must include informing authorities and data subjects of the event as soon as possible.
7. Be data subject friendly
Set up internal policies and processes to prioritize the privacy rights of data subjects. Go above and beyond making sure subjects can view, access, change, transport, or delete their data and respond quickly to all data subject inquiries or requests. Keeping lines of communication open with subjects is critical for achieving the level of transparency required for privacy compliance.
8. Automate processes whenever possible
GDPR compliance involves managing lots of account information–often much more than manual practices can handle. Implement automated processes to handle subject information requests, email, and marketing tasks that require a faster response.
9. Monitor third-parties for adherence to contracts
Sign contracts with all third-party partners and vendors who may process subject PII on your business’s behalf, ensuring they are aware of and compliant with GDPR.
10. Utilize GDPR compliance tools
Achieving and maintaining GDPR compliance can tax your company’s resources, so consider the benefits of engaging GDPR compliance software tools to ease the burden. Software tools can help with data discovery, consent management, driving accountability for the ongoing performance of foundational privacy activities, and retaining evidence to back up compliance assertions your organization has made (to reduce your legal liability).
GDPR: Frequently Asked Questions
Hyperproof for GDPR Compliance
Hyperproof is a powerful compliance operations platform designed to help you abide by GDPR and a host of other privacy regulations in the most efficient way possible.

Hyperproof partners with professional service firms with proven track records and deep expertise in helping organizations get GDPR ready. Our partners help customers design their compliance programs, build them out, and conduct readiness assessments to ensure there are no surprises when the audit occurs. If you need a referral, we’d love to talk.