In Effect Since May 25, 2018 - Compliance Required Now

Your 8-Step Path to GDPR Compliance

Complete implementation roadmap for achieving GDPR compliance. From data mapping to breach response, this guide walks you through every requirement with practical timelines and expert guidance.

Start with Gap Analysis Check Your Website Cookies

GDPR Implementation Timeline

GDPR has been in effect since 2018, but many organizations still need comprehensive compliance programs. Most implementations take 4-8 months for full compliance.

1-3

Weeks 1-3

Data Mapping & Assessment

4-10

Weeks 4-10

Legal Basis & Privacy Policies

11-20

Weeks 11-20

Rights & Security Implementation

21+

Week 21+

Governance & Monitoring

Proven Standards Framework for GDPR Compliance

ENISA recommends building GDPR compliance on established international standards. This structured approach provides clear implementation guidance while ensuring comprehensive privacy protection.

ENISA Guidance - EU Authority Recommendation

The European Union Agency for Cybersecurity (ENISA) provides authoritative guidance on implementing GDPR requirements using international standards. This framework ensures alignment with EU regulatory expectations and implementation best practices.

Privacy Information Management

Build formal privacy governance framework

ISO/IEC 27701 PIMS (Primary)

Privacy Information Management System extending ISO 27001 with privacy-specific controls for comprehensive GDPR alignment.

• Privacy governance and risk management
• Data subject rights implementation framework
• Privacy by design and default controls
• Incident management for privacy breaches

ISO/IEC 27001 ISMS (Foundation)

Information Security Management System providing governance backbone for privacy protection.

• Risk-based management approach
• Continuous improvement cycle (Plan-Do-Check-Act)
• Management commitment and resource allocation

ISO/IEC 27002 Security Controls

Detailed security controls for Article 32 "Security of Processing" requirements.

• Access control and authentication
• Encryption and data protection
• Vulnerability management

Best for: Large organizations, public authorities, or entities requiring formal certification and comprehensive privacy governance frameworks.

Privacy Impact Assessment

Systematic risk assessment for high-risk processing

ISO/IEC 29134 DPIA (Core)

Structured Privacy Impact Assessment methodology aligning with GDPR Article 35 requirements.

• Systematic risk identification and assessment
• High-risk processing activity evaluation
• Mitigation measures and residual risk management
• Stakeholder consultation framework

Privacy by Design Integration

Proactive privacy protection built into systems and processes from inception.

• Privacy as the default setting
• End-to-end security lifecycle
• User-centric design principles

ENISA Guidelines Application

EU-specific interpretation and practical implementation guidance.

• Regulatory authority expectations
• Best practices from EU case studies
• Cross-border transfer requirements

Best for: Organizations with high-risk processing activities, innovative data use cases, or complex data sharing arrangements requiring detailed risk assessment.

These frameworks can be integrated - ISO 27701 PIMS with ISO 29134 DPIA provides comprehensive coverage

Complete GDPR Implementation Roadmap

Follow these 8 proven steps to achieve full GDPR compliance. Each step builds on the previous one, ensuring you create a comprehensive privacy program that protects personal data and meets regulatory requirements.

Step 1 Intermediate

1. Establish ISO 27701 PIMS Foundation

Build Privacy Information Management System extending your ISO 27001 framework

Key Actions

Implement ISO 27701 PIMS controls building on ISO 27001 foundation
Map all personal data processing activities per ISO 27701 requirements
Document data flows and processing purposes with PIMS methodology
Establish privacy governance structure per PIMS framework

Available Tools

ISO 27701 Compliance Mapper PIMS Assessment Tool Data Flow Diagram

Real Examples

Customer emails from contact forms Payment data from checkout Website analytics cookies

Timeline: 4-6 weeks

Learn More

Step 2 Intermediate

2. Establish Legal Basis for Processing

Ensure you have valid legal grounds for collecting and using personal data

Key Actions

Identify legal basis for each type of data processing
Update privacy policies with clear legal basis statements
Implement consent mechanisms where needed
Document legitimate interests assessments

Available Tools

Legal Basis Checker Consent Manager Privacy Policy Generator

Real Examples

Consent for marketing emails Contract basis for order processing Legitimate interest for fraud prevention

Timeline: 3-6 weeks

Learn More

Step 3 Intermediate

3. Implement Data Subject Rights

Set up processes to handle individual requests about their personal data

Key Actions

Create procedures for access requests (right to know)
Set up data rectification and erasure processes
Implement data portability for data export
Establish objection and restriction handling

Available Tools

Rights Management System Request Forms Response Templates

Real Examples

Download my data button Delete my account process Unsubscribe from marketing

Timeline: 4-8 weeks

Learn More

Step 4 Advanced

4. Implement Privacy by Design with ISO 29134

Build privacy protection using structured DPIA methodology

Key Actions

Implement ISO 29134 Privacy Impact Assessment methodology
Apply privacy-friendly defaults per ISO 27701 PIMS controls
Implement data minimization using structured risk assessment
Set up automatic data retention per ISO 27701 guidelines

Available Tools

ISO 29134 DPIA Template PIMS Privacy Checklist Retention Policy Builder

Real Examples

Default privacy settings Automatic account deletion Minimal data collection forms

Timeline: 6-12 weeks

Learn More

Step 5 Advanced

5. Implement ISO 27001/27002 Security Controls

Secure personal data per Article 32 using proven security framework

Key Actions

Apply ISO 27002 security controls for personal data protection
Implement encryption in transit and at rest per ISO 27001 requirements
Establish access controls using ISO 27002 guidelines
Conduct regular security assessments per ISO 27001 methodology

Available Tools

ISO 27002 Security Mapper Encryption Implementation Guide ISMS Training Materials

Real Examples

Database encryption Two-factor authentication Employee privacy training

Timeline: 4-8 weeks

Learn More

Step 6 Intermediate

6. Manage Third-Party Processors

Ensure vendors and partners also protect personal data properly

Key Actions

List all vendors who process personal data
Sign data processing agreements (DPAs) with each vendor
Assess vendor security and privacy practices
Monitor vendor compliance regularly

Available Tools

Vendor Assessment Form DPA Templates Compliance Monitor

Real Examples

Cloud provider DPA Email service agreement Analytics tool contract

Timeline: 3-6 weeks

Learn More

Step 7 Intermediate

7. Set Up Data Governance

Create oversight and accountability for data protection across your organization

Key Actions

Appoint a Data Protection Officer (if required)
Assign data protection responsibilities to staff
Create regular privacy compliance reviews
Document all data protection policies and procedures

Available Tools

DPO Assessment Governance Framework Policy Templates

Real Examples

Monthly privacy reviews Data protection training Incident response team

Timeline: 2-4 weeks

Learn More

Step 8 Intermediate

8. Prepare for Data Breaches

Create processes to detect, respond to, and report data breaches within 72 hours

Key Actions

Define what counts as a personal data breach
Create step-by-step breach response procedures
Set up 72-hour reporting to supervisory authorities
Prepare breach notification templates for data subjects

Available Tools

Incident Response Plan Breach Assessment Tool Notification Templates

Real Examples

Breach detection system Authority notification form Customer breach notice

Timeline: 2-3 weeks

Learn More

GDPR Quick Reference

Key deadlines, requirements, and penalties at a glance

Critical Deadlines

• 72 hours: Breach notification to authorities
• 1 month: Respond to data subject requests
• 2 months: Extended response for complex requests
• Ongoing: Continuous compliance required

Core Requirements

• Lawful basis for data processing
• Data subject rights implementation
• Privacy by design and default
• Data protection impact assessments
• Breach notification procedures

Maximum Penalties

• Tier 2: €20M or 4% revenue
• Tier 1: €10M or 2% revenue
• Data processing bans
• Individual compensation claims

Supporting Tools and Resources

Everything you need to implement and maintain GDPR compliance

ISO 27701 PIMS Mapper

Map GDPR requirements to ISO 27701 privacy controls

Access tool

Privacy Policy Generator

Create compliant privacy policies for your website

Access tool

Cookie Checker

Audit your website cookies for GDPR compliance

Access tool

Data Audit Tool

Comprehensive audit of your data processing activities

Access tool

Breach Response Kit

Templates for 72-hour breach notification requirements

Access tool

DPO Assessment

Check if you need a Data Protection Officer

Access tool

Article Article 25 ·

View on EUR-Lex

Available Now

In Development

Get notified when new content is ready

Available Content

Available Content

Your 8-Step Path to GDPR Compliance

GDPR Implementation Timeline

Weeks 1-3

Weeks 4-10

Weeks 11-20

Week 21+

Proven Standards Framework for GDPR Compliance

ENISA Guidance - EU Authority Recommendation

Privacy Information Management

ISO/IEC 27701 PIMS (Primary)

ISO/IEC 27001 ISMS (Foundation)

ISO/IEC 27002 Security Controls

Privacy Impact Assessment

ISO/IEC 29134 DPIA (Core)

Privacy by Design Integration

ENISA Guidelines Application

Complete GDPR Implementation Roadmap

1. Establish ISO 27701 PIMS Foundation

Key Actions

Available Tools

Real Examples

2. Establish Legal Basis for Processing

Key Actions

Available Tools

Real Examples

3. Implement Data Subject Rights

Key Actions

Available Tools

Real Examples

4. Implement Privacy by Design with ISO 29134

Key Actions

Available Tools

Real Examples

5. Implement ISO 27001/27002 Security Controls

Key Actions

Available Tools

Real Examples

6. Manage Third-Party Processors

Key Actions

Available Tools

Real Examples

7. Set Up Data Governance

Key Actions

Available Tools

Real Examples

8. Prepare for Data Breaches

Key Actions

Available Tools

Real Examples

GDPR Quick Reference

Critical Deadlines

Core Requirements

Maximum Penalties

Supporting Tools and Resources

ISO 27701 PIMS Mapper

Privacy Policy Generator

Cookie Checker

Data Audit Tool

Breach Response Kit

DPO Assessment

❓ GDPR Still Confusing?

We use cookies