Since GDPR enforcement began in May 2018, supervisory authorities across Europe have issued over €4.5 billion in fines. The largest single penalty — €1.2 billion against Meta in 2023 — made headlines. But the fines that matter most to most organizations are the smaller ones: €100,000 against a hotel chain for poor consent practices, €300,000 against a hospital for inadequate access controls. These are the fines that reflect the day-to-day reality of GDPR enforcement.
GDPR applies to any organization that processes personal data of people in the EU, regardless of where the organization is based. A company in Singapore that operates an e-commerce store serving European customers is subject to GDPR. Compliance is not optional, and "we did not know it applied to us" has never been a successful defense.
Step 1: Map Your Data Before You Do Anything Else
Every GDPR implementation starts with data mapping — and most organizations are surprised by what they find. Customer email lists, employee HR files, website analytics, CCTV footage, support ticket systems, third-party CRM platforms: all of these involve personal data, and all of them need to be documented in your Record of Processing Activities (ROPA). Article 30 makes the ROPA mandatory for most organizations.
For each processing activity, you need to capture: what data you hold, where it came from, what you use it for, who you share it with, where it is stored (including which country), and how long you keep it. This sounds like a lot. In practice, a structured spreadsheet and two or three workshops with department heads will get most organizations 80% of the way there.
Step 2: Get Your Legal Bases Right
Every processing activity needs a lawful basis. GDPR provides six: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The mistake we see most often is defaulting to consent for everything — because it feels safest. It is not.
Important: Consent under GDPR must be freely given, specific, informed, and unambiguous. In an employment context, consent is almost never appropriate — employees cannot freely refuse when their job may depend on it. Use legal obligation or legitimate interests instead. Meta's record €1.2 billion fine was partly the result of relying on the wrong legal basis for years.
The Eight Rights You Must Be Ready to Fulfill
- Right to be informed — clear privacy notices before or at the point of data collection
- Right of access — provide a copy of personal data within one month of request
- Right to rectification — correct inaccurate or incomplete data without undue delay
- Right to erasure — delete data when no longer necessary or when consent is withdrawn
- Right to restrict processing — pause processing while accuracy or legitimacy is contested
- Right to data portability — provide data in a machine-readable format
- Right to object — stop processing for direct marketing immediately, no exceptions
- Rights related to automated decision-making — humans must be involved in significant decisions
Step 3: The 72-Hour Breach Notification Rule
Seventy-two hours is not a lot of time. When a breach occurs — a phishing email that compromised staff credentials, a misdirected email containing patient records, an unsecured database left exposed — the clock starts from the moment your organization "becomes aware." That means you need a documented breach response process and a named person responsible for it before a breach happens, not after.
Not every breach requires notification to your supervisory authority — only those likely to result in a risk to individuals. But you do need to document every breach, even the ones you decide do not need reporting, and record your reasoning. Supervisory authorities check these records during investigations.
Step 4: Data Protection by Design
Article 25 requires organizations to implement data protection by design and by default — meaning privacy considerations need to be built into systems and processes from the start, not retrofitted later. In practice this means: collect only the data you actually need (data minimization), restrict access to those who genuinely need it, and apply appropriate security measures from day one of any new project.
A Data Protection Impact Assessment (DPIA) is mandatory for any processing that is "likely to result in a high risk" — biometric data, large-scale monitoring, systematic profiling. But even when not mandatory, running a lightweight DPIA for new projects is a habit worth building. It costs far less to fix a privacy problem before a system is built than after.
