General Data Protection Regulation

GDPR compliance implementation guide

The EU General Data Protection Regulation is the world's strongest data privacy law. Whether you're processing EU resident data from anywhere in the world, we help you implement data subject rights, DPIAs, breach notification and accountability with clear processes and evidence.

Start GDPR assessment Book compliance call

What is GDPR?

The General Data Protection Regulation (EU) 2016/679 is a comprehensive data protection law that came into force on May 25, 2018. GDPR applies to any organization processing personal data of individuals in the European Union, regardless of where the organization is located.

Why this matters: GDPR has extraterritorial reach and enforceable penalties up to €20 million or 4% of global annual revenue. It sets the global standard for data privacy and influences privacy laws worldwide.

Enforceable

Significant penalties for violations

Extraterritorial

Applies globally for EU data processing

Complements EU AI Act compliance and aligns with ISO 42001 data governance.

Who needs GDPR compliance?

Any organization processing EU personal data

Applies regardless of location if you process data of EU residents

AI companies processing user data

AI systems using personal data for training or decision-making

Cloud service providers

SaaS, PaaS, IaaS providers storing or processing EU data

Marketing & AdTech companies

Organizations using personal data for targeting or profiling

Healthcare & HR systems

Processing special categories of sensitive personal data

E-commerce & online platforms

Collecting customer data for transactions or services

How VerifyWise supports GDPR compliance

VerifyWise provides a GDPR compliance preset combining data protection and anti-discrimination obligations into a single structured workflow

GDPR requirement

VerifyWise coverage

Data Protection Impact Assessment

Structured checklist item for DPIA completion and documentation

Automated decision-making justification

Checklist item for documenting legal basis and necessity under Article 22

Protected characteristic assessment

Pre-configured categories for age, disability, gender, race, religion, sex, and sexual orientation

Human review procedures

Dedicated checklist item for documenting human oversight and review processes

Additional compliance capabilities

Data processing inventory and records

Maintain comprehensive records of all processing activities (Article 30). Document lawful basis, data categories, retention periods and third-party transfers for each processing operation. VerifyWise generates GDPR-compliant records that satisfy supervisory authority audits.

Addresses: Article 30: Records of processing activities

Data Protection Impact Assessments (DPIAs)

Conduct structured DPIAs for high-risk processing activities using guided workflows (Article 35). Assess necessity, proportionality, risks to data subjects and mitigation measures. Track DPIA status and prior consultation requirements automatically.

Addresses: Article 35: Data Protection Impact Assessment

Data subject rights management

Handle all eight data subject rights with structured workflows and audit trails. Track requests for access, rectification, erasure, restriction, portability and objection. Generate compliant responses within the 30-day deadline.

Addresses: Articles 15-22: Data subject rights

Breach notification and incident response

Manage data breaches with automated workflows for 72-hour supervisory authority notification (Article 33) and data subject communication (Article 34). Document breach assessment, impact evaluation and remediation actions.

Addresses: Articles 33-34: Breach notification requirements

Consent management and legal basis tracking

Document lawful basis for each processing activity (Article 6). For consent-based processing, maintain proof of freely given, specific, informed and unambiguous consent. Track withdrawal requests and processing cessation.

Addresses: Article 6: Lawfulness of processing, Article 7: Consent

Third-party processor and transfer governance

Manage processor contracts with GDPR-required clauses (Article 28). Track international transfers using Standard Contractual Clauses, adequacy decisions or derogations (Chapter V). Maintain transfer impact assessments for non-adequate countries.

Addresses: Article 28: Processor requirements, Articles 44-50: Transfers

All GDPR compliance activities are tracked with timestamps, assigned owners and approval workflows. This audit trail demonstrates accountability and systematic compliance rather than documentation created after the fact.

Complete GDPR principles coverage

VerifyWise provides dedicated tooling for all GDPR principles and requirements

Core GDPR principles

Built for GDPR compliance from the ground up

Article 30 records automation

Generate compliant records of processing activities

Data subject rights workflows

Handle all 8 rights with 30-day deadline tracking

72-hour breach notification

Automated workflows for Articles 33-34 compliance

Multi-framework mapping

Crosswalk to EU AI Act and ISO 42001 requirements

Eight GDPR principles

Core principles that govern all personal data processing under GDPR

Lawfulness, fairness & transparency

Process personal data lawfully, fairly and in a transparent manner. Identify legal basis and communicate processing to data subjects clearly.

Documented lawful basis for each processing activity
Fair processing without deception or coercion
Transparent privacy notices in clear language
Accessible information about processing
Data subject rights communication

Purpose limitation

Collect data for specified, explicit and legitimate purposes. Do not process for incompatible purposes without new consent.

Specified purposes documented before collection
Explicit communication of purposes
Legitimate purposes aligned with expectations
Compatibility assessment for new uses
Further processing restrictions

Data minimization

Collect only data that is adequate, relevant and limited to what is necessary for the stated purposes.

Necessity assessment for each data element
Adequate data to achieve purposes
Relevant data without excessive collection
Regular review of data collected
Minimization by design

Accuracy

Maintain accurate and up-to-date personal data. Erase or rectify inaccurate data without delay.

Regular data accuracy reviews
Timely updates when inaccuracies identified
Erasure of inaccurate data
Data subject rectification rights
Accuracy verification procedures

Storage limitation

Keep personal data only as long as necessary for the specified purposes. Define retention periods and deletion procedures.

Documented retention periods by data category
Justified retention based on purpose
Deletion or anonymization after retention
Archiving criteria for longer retention
Regular deletion reviews

Integrity & confidentiality

Process data securely to protect against unauthorized access, loss, destruction or damage. Implement appropriate technical and organizational measures.

Security measures appropriate to risk
Protection against unauthorized access
Prevention of data loss or damage
Encryption and pseudonymization where appropriate
Regular security testing and evaluation

Accountability

Demonstrate compliance with all GDPR principles. Maintain documentation, implement governance and ensure ongoing compliance.

Records of processing activities
Data protection policies and procedures
Staff training and awareness
DPIAs for high-risk processing
Evidence of compliance measures

Privacy by design & default

Implement data protection from system design onwards. Process only necessary data by default. Build privacy into all processing operations.

Privacy integrated in system design
Data protection as default setting
Minimal data processing by default
Privacy-enhancing technologies
Regular privacy reviews

Eight data subject rights

GDPR grants individuals comprehensive rights over their personal data

Right of access

Data subjects can request confirmation of processing and obtain a copy of their personal data.

Article 15

Requirements

• Confirm whether data is processed
• Provide copy of data
• Disclose processing purposes
• Response within 30 days

Right to rectification

Data subjects can request correction of inaccurate personal data and completion of incomplete data.

Article 16

Requirements

• Correct inaccurate data promptly
• Complete incomplete data
• Communicate to recipients
• Response within 30 days

Right to erasure

Data subjects can request deletion of personal data in specific circumstances (right to be forgotten).

Article 17

Requirements

• Delete when no longer necessary
• Consent withdrawn
• Unlawful processing
• Legal obligation to erase

Right to restriction

Data subjects can request limitation of processing in specific circumstances while accuracy or lawfulness is verified.

Article 18

Requirements

• Restrict during accuracy verification
• Restrict if processing unlawful
• Mark restricted data
• Communicate restrictions

Right to data portability

Data subjects can receive their data in a structured, machine-readable format and transmit it to another controller.

Article 20

Requirements

• Provide data in machine-readable format
• Allow direct transmission
• Apply to automated processing
• Based on consent or contract

Right to object

Data subjects can object to processing based on legitimate interests, direct marketing or research purposes.

Article 21

Requirements

• Stop processing on objection
• Prove compelling legitimate grounds
• Always stop marketing processing
• Inform about right to object

Rights related to automated decision-making

Data subjects have rights regarding solely automated decisions with legal or significant effects, including profiling.

Article 22

Requirements

• Right not to be subject to automated decisions
• Provide human intervention option
• Explain logic of automated decisions
• Allow expression of view

Right to withdraw consent

Data subjects can withdraw consent at any time, and withdrawal must be as easy as giving consent.

Article 7(3)

Requirements

• Easy withdrawal mechanism
• Clear withdrawal instructions
• Stop processing on withdrawal
• Inform about right before consent

26-week implementation roadmap

A practical path to GDPR compliance with clear milestones

Phase 1Weeks 1-6

Foundation & gap analysis

Appoint Data Protection Officer (if required)
Conduct GDPR readiness assessment
Create data processing inventory
Identify high-risk processing activities
Review existing privacy notices

Phase 2Weeks 7-14

Documentation & policies

Document lawful basis for all processing
Update privacy notices and policies
Create Records of Processing Activities (Article 30)
Implement data subject rights procedures
Develop DPIA process and templates

Phase 3Weeks 15-22

Technical & organizational measures

Implement security measures appropriate to risk
Deploy privacy by design in new systems
Establish breach notification procedures
Review processor agreements and contracts
Conduct DPIAs for high-risk processing

Phase 4Weeks 23-26

Compliance & continuous monitoring

Staff training on GDPR requirements
Test data subject rights procedures
Implement ongoing compliance monitoring
Schedule regular GDPR audits
Establish accountability and governance

Enforcement & Penalties

GDPR penalties are significant and enforced

GDPR supervisory authorities actively enforce violations with administrative fines reaching into hundreds of millions of euros.

Lower tier violations

Up to €10 million or 2% of global annual revenue

Examples of violations:

Failure to maintain records (Article 30)
Insufficient security measures (Article 32)
Non-compliance with processor requirements (Article 28)
Inadequate breach notification to supervisory authority (Article 33)

Higher tier violations

Up to €20 million or 4% of global annual revenue

Examples of violations:

Unlawful processing (Articles 5, 6, 9)
Violating data subject rights (Articles 12-22)
Unauthorized international transfers (Chapter V)
Non-compliance with supervisory authority orders (Article 58)

Notable enforcement actions: Amazon (€746M), Meta/WhatsApp (€225M), Google Ireland (€90M), H&M (€35M). Supervisory authorities consider severity, duration, intentionality, categories of data, number of affected individuals and cooperation when determining fines.

View European Data Protection Board enforcement tracker →

Start GDPR compliance assessment

Policy templates

Complete GDPR policy repository

Access 37 ready-to-use data protection policy templates aligned with GDPR, EU AI Act and ISO 42001 requirements

Core GDPR policies

• Data Protection Policy
• Privacy Notice Templates
• Consent Management Policy
• Data Subject Rights Procedures
• Records of Processing Activities
• DPIA Policy & Templates
+ 6 more policies

Security & breach

• Data Security Policy
• Breach Notification Procedures
• Incident Response Plan
• Data Retention & Deletion Policy
• Access Control Policy
• Encryption Standards
+ 5 more policies

Processors & transfers

• Data Processing Agreement
• Third-Party Vendor Policy
• International Transfer Policy
• Standard Contractual Clauses
• Transfer Impact Assessment
• Processor Management
+ 4 more policies

Browse all policy templates

Frequently asked questions

Common questions about GDPR compliance implementation

The General Data Protection Regulation (EU) 2016/679 was adopted on April 27, 2016, and became enforceable on May 25, 2018. Organizations had a two-year transition period to achieve compliance. See the full regulation text for complete details.

Yes, GDPR has extraterritorial scope. It applies to any organization processing personal data of individuals in the EU, regardless of where the organization is located. This includes offering goods or services to EU residents or monitoring their behavior. US companies, Asian companies and any global organization must comply if they process EU personal data.

GDPR imposes two tiers of administrative fines. Lower tier violations can result in fines up to €10 million or 2% of global annual revenue (whichever is higher). Higher tier violations can result in fines up to €20 million or 4% of global annual revenue (whichever is higher). Supervisory authorities consider factors like severity, duration, intentionality and cooperation when determining penalties.

A controller determines the purposes and means of processing personal data and has primary GDPR compliance responsibility. A processor processes personal data on behalf of the controller under contract. For example, a SaaS company using AWS is typically the controller, while AWS acts as the processor. Both have specific GDPR obligations, but controllers have broader accountability.

Article 37 requires a DPO when: (1) processing is carried out by a public authority, (2) core activities involve regular and systematic monitoring of data subjects at large scale, or (3) core activities involve large-scale processing of special categories of data. The European Data Protection Board provides detailed guidance on DPO requirements.

Article 6 defines six lawful bases: (1) Consent - freely given, specific, informed and unambiguous; (2) Contract - necessary for contract performance; (3) Legal obligation - required by EU or Member State law; (4) Vital interests - protecting life; (5) Public task - official authority or public interest; (6) Legitimate interests - controller's legitimate interests balanced against data subject rights (not available for public authorities).

Article 35 requires DPIAs for processing likely to result in high risk to data subject rights and freedoms. This includes: systematic and extensive profiling, large-scale processing of special categories of data, and systematic monitoring of public areas at large scale. DPIAs assess necessity, proportionality, risks and mitigation measures. Consult supervisory authority if high risk cannot be mitigated.

SCCs are standardized contractual terms approved by the European Commission for transferring personal data to countries without an adequacy decision (Article 46). Following the Schrems II decision, you must also conduct a Transfer Impact Assessment to evaluate if the recipient country provides adequate protection. See the European Commission page for updated SCCs.

Article 12 requires responses to data subject rights requests without undue delay and within one month of receipt. This can be extended by two additional months for complex or numerous requests, but you must inform the data subject of the extension and reasons within the first month. The clock starts when you receive the request and verify the requester's identity.

Article 17 grants data subjects the right to erasure (right to be forgotten) in specific circumstances: data no longer necessary for original purpose, consent withdrawn with no other lawful basis, objection to processing, unlawful processing, legal obligation to erase, or data collected from children for information society services. This right is not absolute - exemptions exist for legal obligations, public interest and legitimate interests.

GDPR and the EU AI Act are complementary. GDPR governs personal data processing, while the EU AI Act regulates AI systems by risk level. AI systems processing personal data must comply with both. For example, an AI hiring tool must satisfy GDPR data subject rights (access, explanation) and EU AI Act requirements (human oversight, transparency). Many obligations overlap and reinforce each other.

Yes, VerifyWise provides comprehensive GDPR compliance tools including Records of Processing Activities (Article 30), DPIA workflows, data subject rights management, breach notification procedures and processor management. We map GDPR requirements to your controls and generate audit-ready documentation. We also provide crosswalks to EU AI Act and ISO 42001 for integrated compliance.

Ready to achieve GDPR compliance?

Start your GDPR compliance journey with our guided assessment and implementation tools.

Start GDPR assessment Schedule consultation