Save 20% on accredited EU GDPR course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

9 steps for implementing GDPR

Implementation of the European General Data Protection Regulation (GDPR) can be complex and challenging. As you implement, it is important to understand if your plan is going in the right direction or not. Let us go through the key GDPR implementation steps that your project must include.

As the checklist is closely linked to GDPR requirements and principles, you can read these articles: A summary of 10 key GDPR requirements and Understanding 6 key GDPR principles.

1) Prepare for your GDPR project.

2) Define your Personal Data Policy and other top-level documents.

  • Create an internal Data Protection Policy for personal data.
  • Create other top-level policies as needed – e.g., the Data Retention Policy.
  • Create awareness among employees about key GDPR requirements.
  • Make a decision with regard to the assignment of a Data Protection Officer, and make sure the decision is documented.
  • If required, appoint a Data Protection Officer and communicate their name to the Supervisory Authority.
  • See also: The role of the DPO in light of the General Data Protection Regulation

9 steps for implementing GDPR - Advisera

3) Create an inventory of processing activities.

  • List your processing activities and how these map to legitimate purposes defined in GDPR.
  • Be sure your company has published the necessary privacy notices for data subjects.

4) Define an approach to manage data subject rights.

5) Implement a Data Protection Impact Assessment (DPIA).

6) Secure personal data transfers.

  • Analyse what personal data is being transferred outside of your company, and when.
  • Take necessary legal and security measures to adequately protect personal data when personal data is transferred outside of the company.

7) Amend third-party contracts.

  • Amend third-party contracts that include processing of personal data to become compliant with the GDPR.

8) Ensure the security of personal and sensitive data.

9) Define how to handle data breaches.

  • Set up the processes to identify and handle personal data breaches.
  • Prepare for notifications to the Supervisory Authority and data subjects, if required, in the case of a personal data breach.
  • See also: 5 steps to handle a data breach according to GDPR


Depending on the results of the readiness assessment you performed at the beginning of your project, you might not need all the steps that are displayed here; however, if you have no privacy protection in place, it is likely that you will have to perform all the mentioned steps.

In any case, make sure you have implemented all the relevant steps – otherwise, you might have to pay some rather high fines for being non-compliant.

Download this free Checklist of Mandatory Documentation Required by EU GDPR and learn how to structure each document according to the EU GDPR.

To learn more about the biggest priorities to comply with GDPR on time, see this article.

Advisera Punit Bhatia

Punit Bhatia

Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. He has experience on both sides of the table in a variety of industries, serving as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises.
Read more articles by Punit Bhatia