EU GDPR Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

9 steps for implementing GDPR

Author: Punit Bhatia

Implementation of the European General Data Protection Regulation (GDPR) can be complex and challenging. As you implement, it is important to understand if your plan is going in the right direction or not. Let us go through the key GDPR implementation steps that your project must include.

As the checklist is closely linked to GDPR requirements and principles, you can read these articles: A summary of 10 key GDPR requirements and Understanding 6 key GDPR principles.

1) Prepare for your GDPR project.

2) Define your Personal Data Policy and other top-level documents.

  • Create an internal Data Protection Policy for personal data.
  • Create other top-level policies as needed – e.g., the Data Retention Policy.
  • Create awareness among employees about key GDPR requirements.
  • Make a decision with regard to the assignment of a Data Protection Officer, and make sure the decision is documented.
  • If required, appoint a Data Protection Officer and communicate their name to the Supervisory Authority.
  • See also: The role of the DPO in light of the General Data Protection Regulation

3) Create an inventory of processing activities.

  • List your processing activities and how these map to legitimate purposes defined in GDPR.
  • Be sure your company has published the necessary privacy notices for data subjects.

4) Define an approach to manage data subject rights.

5) Implement a Data Protection Impact Assessment (DPIA).

6) Secure personal data transfers.

  • Analyse what personal data is being transferred outside of your company, and when.
  • Take necessary legal and security measures to adequately protect personal data when personal data is transferred outside of the company.

7) Amend third-party contracts.

  • Amend third-party contracts that include processing of personal data to become compliant with the GDPR.

8) Ensure the security of personal and sensitive data.

9) Define how to handle data breaches.

  • Set up the processes to identify and handle personal data breaches.
  • Prepare for notifications to the Supervisory Authority and data subjects, if required, in the case of a personal data breach.
  • See also: 5 steps to handle a data breach according to GDPR


Depending on the results of the readiness assessment you performed at the beginning of your project, you might not need all the steps that are displayed here; however, if you have no privacy protection in place, it is likely that you will have to perform all the mentioned steps.

In any case, make sure you have implemented all the relevant steps – otherwise, you might have to pay some rather high fines for being non-compliant.

Use this Conformio compliance software to guide you through your EU GDPR compliance project.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on EU GDPR regulations.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Andrei Hanganu
Lead EU GDPR Expert


Upcoming free webinar
Privacy Notices under the EU GDPR
Wednesday – November 27, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.