General Data Protection Regulation (GDPR)

Are you ready for GDPR?

The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, creating challenges for every organization doing business in the EU before, during and after the deadline.

GDPR: Setting priorities

Any entity targeting or monitoring European citizens must comply with GDPR. As the largest change to data protection legislation in the last 20 years, GDPR gives regulators unprecedented power to impose fines, requiring wide-scale privacy changes across organizations—including US-based companies if they conduct business in Europe.

But GDPR also represents a broad opportunity to:

  • transform your approach to privacy
  • harness the value of your data, and
  • ensure your organization is fit for tomorrow’s digital economy.

This means adapting now. Not all organizations were compliant as of May 2018, but GDPR regulators need to see that robust plans to become compliant are in the works.


Playback of this video is not currently available

PwC's Toby Spry discussed how companies had been setting priorities as the GDPR deadline neared.

How does GDPR affect your organization?

GDPR’s scope and requirements are deep and complex. The regulation requires a programmatic approach to data protection, like “SOX for privacy,” so you should have a defensible program for compliance and be able to prove you’re acting appropriately. Ask your organization these questions:

  • What is our data footprint in the European Union (e.g., data about employees, consumers and clients)?
  • Are we prepared to provide evidence of GDPR compliance to EU or US privacy regulators, who may request it on demand?
  • Do we have visibility of and control over what personal data we collect? How do we use it? With whom do we share it?
  • Do we have a privacy-by-design program, with Privacy Impact Assessments (PIAs), documentation and escalation paths?
  • Do we have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?
  • Have we defined a roadmap for GDPR compliance?
  • Have we identified a Data Protection Officer (DPO) as required by GDPR?
  • Have we adopted a cross-border data transfer strategy?

GDPR program implementation areas

Strategy and governance

Define an overarching privacy program governance structure, roles and responsibilities designed to coordinate, operate and maintain the program on an ongoing basis.

Policy management
Privacy policies, notices, procedures and guidelines are formally documented and consistent with applicable laws and regulations.

Cross-border data transfer
Determine cross-border data transfer strategy based on current and future planned data collection, use and sharing.

Data lifecycle management
Create ongoing mechanisms to identify new personal data processing and use activities, and implement appropriate checkpoints and controls.

Individual rights processing
Enable the effective processing of consent and data subject requests, such as data access, deletion and portability.

Privacy by design
Develop a strategy and playbook for “privacy by design” to incorporate privacy controls and impact assessments throughout the data lifecycle for new and changing data use initiatives.

Information security
Identify existing security information protection controls and align security practices with GDPR considerations.

Privacy incident management
Align incident response processes with GDPR specifications and reporting requirements. Establish a triage approach to evaluating potential privacy breaches and incidents.

Data processor accountability
Establish privacy requirements for third parties to mitigate risks associated with access to the organization’s information assets.

Training and awareness
Define and implement a training and awareness strategy at the enterprise and individual level.

Where are you on the GDPR journey?

Your organization may be just getting started—or may already have a GDPR program in place. Here’s what happens on the way to compliance. 

Conduct a readiness assessment

Gather information to assess your organization’s current GDPR compliance maturity, and to help understand your critical legacy risks.

Find remediation gaps

Identify existing privacy capabilities and the work that needs to be done to bring your organization into GDPR compliance.

Establish oversight

Put your organization’s ongoing GDPR governance structure and model into place to coordinate and implement your remediation activities.

Implement your program

Get your GDPR program off the ground: remediating gaps and establishing a privacy program.

Conduct operation & monitoring

Once GDPR is in effect and your program is in place, conduct ongoing compliance to drive continued accountability.


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Jay Cline

Jay Cline

US Privacy Leader, Principal, PwC US

Carolyn Holcomb

Carolyn Holcomb

Privacy Assurance Leader and ESG Partner, PwC US

Jocelyn Aqua

Jocelyn Aqua

Principal, Cybersecurity and Privacy, PwC US

Follow us