Top 10 operational responses to the GDPR

In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the EU General Data Protection Regulation. Now, with the May 25, 2018, GDPR-implementation deadline looming, the IAPP is releasing a companion This series presents common practical organizational responses that our members report undertaking in anticipation of GDPR implementation.

The IAPP previously released a companion series on the top operational impacts of the GDPR.

Series Overview

Data inventory and mapping
This article explains why conducting a comprehensive data‑inventory and mapping exercise is the essential first step for GDPR compliance, helping organizations understand what personal data they hold, how it flows, and how processing aligns with legal obligations.
View article

Lawful bases for processing
This article outlines the GDPR’s six lawful bases for processing personal data and describes how organizations must determine and document the appropriate basis for each processing activity, cautioning against relying on multiple bases unnecessarily.
View article

Build and maintain a data governance system
This article discusses the importance of establishing strong privacy governance—appointing leadership, creating policies, assigning responsibilities, and training personnel—to ensure coordinated and sustainable GDPR compliance efforts.
View article

Data protection impact assessments and data protection by default and by design
This article explores the GDPR’s risk‑based approach, detailing when DPIAs are required and how organizations must embed data protection by design and default into new processing activities, systems, and tools.
View article

Preparing and implementing data-retention and record-keeping policies and systems
This article explains the GDPR’s strict retention and record‑keeping requirements, emphasizing the need to document processing activities under Article 30 and to delete personal data once it is no longer necessary—despite organizational tendencies to retain data indefinitely.
View article

Transparency and privacy notices
This article analyzes GDPR transparency obligations, describing what organizations must disclose in privacy notices, when notices must be delivered, and how transparency builds trust and accountability under Articles 13 and 14.
View article

Accommodating data subjects’ rights
This article reviews the GDPR’s expanded data‑subject rights—including access, rectification, erasure, portability, objection, and consent withdrawal—and discusses the operational challenges of establishing processes to respond promptly and consistently.
View article

Data breach and the GDPR Vetting and contracting with processors
This article explains GDPR’s broad definition of personal‑data breaches, outlines steps for breach preparedness and response, and emphasizes the importance of understanding data types to evaluate notification obligations and reduce risk.
View article

Vetting and contracting with processors
This article details GDPR’s stringent requirements for selecting and managing processors, including early privacy involvement, determining controller/processor roles, and ensuring contracts contain mandatory Article 28 terms and appropriate safeguards.
View article

Communicating with supervisory authorities
This article describes how organizations should identify their lead supervisory authority, establish communication channels, and prepare for increased interaction with DPAs under GDPR obligations such as breach notification and consultation.
View article