The General Data Protection Regulation, or GDPR, has become top-of-mind for organizations around the world. Indeed, according to PwC’s Preparedness Pulse Survey, 92 percent of organizations consider GDPR compliance a top priority on their data-privacy and security agenda, with over half saying it’s “the” top priority and 38 percent saying it’s “among” top priorities.

For the 8 percent who don’t consider it a priority, GDPR is a new privacy regulation in Europe that protects the personal data for any individual based in the European Union, regardless of citizenship or where the data is being held. It applies to any organization located inside or outside the EU if they offer goods or services to, or monitor the behavior of, EU data subjects.

This regulation will be enforced in May 2018 and outlines strict fines for those companies found to be out of compliance. With the deadline looming, now is the time for organizations to begin to establish a process for adhering to the necessary requirements.

This regulation is not to be taken lightly and should be viewed as a mandate, versus a mere suggestion. Strict fines will be applied to those companies found to be out of compliance. With a maximum fine of “up to 4 percent of annual global turnover for breaching GDPR or €20 million” (whichever is higher), organizations of any size will be significantly impacted by non-compliance. Many organizations have already started down the path to compliance – but for those dragging their feet, time is running out.

There are four critical areas that companies need to be mindful of when mapping out their approach to GDPR compliance, otherwise known as “The 4 Ps of GDPR”: Policies, Procedures, Protocols and People.


Right out of the gate, it will be important to identify a risk team to conduct a privacy assessment. This group should be tasked to evaluate and determine what specific data will fall under the regulation, where that data resides, and how that data moves through the system.

Once an inventory of all of the personal data a company handles is identified, establish a policy for what is to be done with that data to be in compliance with the regulation. You should be asking yourself:

  • Why are we collecting that data?
  • Does the data need to be retained?
  • Did an individual consent to the collection of their personal information?
  • Who has access to that data and why?

There should also be a policy around proper security controls to prevent external or internal exposure of personal information. All potential risks should be categorized and that information should be relayed to data stewards or owners before a specific solution can be put in place.


Under the GDPR umbrella, existing procedures for collecting and storing data will need to be adapted to become fully compliant. In some cases, this may require a complete overhaul of existing procedures. In others, it may be determined that the information that has been retained is now not required, thus eliminating some procedures altogether.

Examples of well established procedures that will need to be reexamined include: Informing individuals when and why personal data is collected; requesting that individuals give explicit consent to retain personal information; setting up additional user access roles to prevent non-essential people from viewing sensitive data; and enabling masking or encryption of data where necessary.


It will also be very important to develop a protocol that defines how you will will handle situations when individuals want to invoke GDPR. There are many areas to consider around this, including:

  • Who will be responsible for handling inbound requests?
  • What is the procedure for addressing said request?
  • What are the cases where information needs to be kept for legal, business or other reasons?

Be sure that each area is thoroughly considered and the protocol is clearly communicated to all key stakeholders.


Your greatest assets are your people. Don’t leave them in the dark about this process. Educate your customers, vendors, and employees about GDPR and let them know about the policies, procedures and protocols that you are defining to safeguard their personal information. Let them know how much you value their privacy and your role as the custodian of their personal data. Be sure to give them peace of mind that you are taking the regulation seriously and approaching it carefully and swiftly.

In the end, they will thank you, and your organization can take solace in the fact that you are now in full compliance.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access