Driving GDPR Compliance

The General Data Protection Regulation (GDPR) mandates businesses to make provisions for EU citizens to exercise their right to access and control their personal data, including the export of personal data outside the EU. The GDPR impacts both data controllers (legal entities such as companies) as well as data processors (SaaS providers). The GDPR has been in force since May 25, 2018, and several frameworks have appeared to help companies achieve GDPR compliance. 

But hurriedly planning for the GDPR is not the solution. Considering GDPR compliance as a continuous effort towards comprehensive data privacy will make you future-ready for new regulations or added data channels. 

What does a successful GDPR implementation look like?

A successful GDPR compliance focuses on three key aspects: 

  1. People and processes to manage the security and privacy of customer data. All data must be compliant within 30 days of the completed customer transactions.
  2. Workflows to provide access and control of personal data to customers.
  3. Consent from customers or data subjects to collect personal data. You need to describe:
    • What kind of data do you collect?
    • Why do you collect this data?
    • Who owns this data internally?
    • How do you store and process the data?
    • For how long will you retain the data?
    • What data do you share with third parties, and for what purpose?
    • Whether you export data outside the EU and for what purpose?
    • What controls do you have in place?
    • What is the impact of a breach?

The compliance efforts are driven by how you manage customer data privacy and how you make data available to customers in a secure way. To launch an effective enterprise-wide GDPR implementation, you need to put data and data privacy at the center of your GDPR compliance strategy. 

The bottom-up approach to a sustainable GDPR strategy

Organizations typically have their own challenges in managing data and domain-specific or region-specific compliances. GDPR adds more granular and secure data governance requirements. A bottom-up approach ensures that you strategize focusing on data and manage data privacy along its entire journey with the right processes. 

A sustainable privacy-driven data governance strategy helps much more than meeting the requirements of GDPR. It helps customize data governance to your unique risks and threats, aligning with your priority privacy use cases.  A strategic approach prepares you for any future regulations that may require more strict controls and more complex workflows. It also makes you ready to implement privacy measures quickly when introducing new campaigns or new channels for collecting data.   

Six phases of GDPR compliance

Achieving GDPR compliance works best with a plan of phased activities. You begin by generating awareness about the regulation. Then you move on to understanding specific details and implementing the sustainable strategy of privacy-driven data governance. The following six phases ensure enterprise-wide participation in all the key aspects to deliver continued compliance. 

Step 1: Generate awareness

Generating awareness within the organization is critical to ensure that all stakeholders and decision-makers are fully committed to GDPR compliance. The awareness step also involves assessing the personal data you hold, its flows, and with whom you share it. Collibra provides complete intelligence on the enterprise-wide inventory of personal data assets, bringing visibility into the data journey.

Step 2: Understand individuals’ rights

The GDPR defines personal data as any information that relates to an identified or identifiable living natural person called a data subject. Any unrelated pieces of information or encrypted data that can lead to identifying a data subject is also personal data. Data subjects have rights to access, view, and request changes or deletion to their personal data. Processing and exporting personal data requires explicit consent from the data subjects. For children, consent is required from parents or guardians.

Step 3: Communicate privacy information

When collecting personal data under the GDPR, you must inform the data subjects about your privacy policy, describing how and why you collect the data. With Collibra, you can easily capture privacy notices and when they are sent. Collibra enables you to track separate privacy notices for separate groups of data subjects.  

Step 4: Evaluate personal data processing

For GDPR compliance, you must identify and declare the legal basis for the personal data processing you carry out. Collibra enables you to document the legal basis for processing personal data. You can leverage the streamlined, collaborative workflows for efficiently managing personal data documentation and access.

Step 5: Assess data protection impact

GDPR compliance requires that you assess the impact of a data breach on your organization and implement procedures to detect, report, and investigate a personal data breach. You can leverage Collibra to conduct Data Privacy Impact Assessments. 

Step 6: Choose Privacy by Design 

Collibra  embeds Privacy by Design, supporting role-based permissioning for compliant data access practices. In addition, data minimization and retention principles are automatically applied to privacy operations including when sharing or deleting personal data, for example, as part of a data subject request. 


Driving GDPR compliance is an opportunity to understand and trust your data. A sustainable bottom-up data privacy strategy and comprehensive data platform prepare you for the current as well as the future data protection regulations. With Collibra’s privacy by design, you can proactively leverage customer data for better engagement and a superior experience.

Related resources


6 typical GDPR questions explained

View all resources

More stories like this one

Nov 28, 2023 - 5 min read

Q4 2023 Collibra release: helping customers reduce data risks and improve...

Read more
Jun 23, 2023 - 4 min read

Privacy in an open-data world: Why government agencies need to be proactive

Read more
Jan 25, 2022 - 3 min read

Gaining control of personal information ahead of CPRA

Read more