GDPR Compliance Guide 2026: Step-by-Step Framework

In one sentence. A 2026 GDPR compliance programme is built on 11 concrete deliverables: a Record of Processing Activities (Article 30), a lawful basis register (Article 6), DPIAs for high-risk processing (Article 35), an Article 28 processor register with signed DPAs, a Schrems II transfer map, breach response within 72 hours (Article 33), a data subject rights workflow (Articles 15-22), a retention schedule, security measures (Article 32), staff training, and an annual audit cycle. Recent enforcement (Meta €1.2B in 2023, TikTok €530M in 2025) makes the cost of skipping any of these higher than ever.

This guide consolidates the 2025-2026 enforcement reality — EDPB guidelines, CJEU rulings, and 5 billion+ in cumulative GDPR fines — into a deliverables-based roadmap. It mirrors the structure of the official EDPB accountability framework and the European Commission’s GDPR guidance.

Key takeaways

• 11 mandatory deliverables — no “GDPR-lite” exists.
• ROPA (Article 30) is the foundation — every other deliverable depends on it.
• DPIA is required for processing listed in EDPB Guidelines WP248rev.01.
• Breach notification deadline is 72 hours to the supervisory authority.
• Top-tier fines reach €20M or 4% of global turnover (Article 83(5)).
• 2025 fine total exceeded €2.1 billion across the EEA.

1. Map your data: Record of Processing Activities

Article 30 ROPA is the spine. It must list, per processing activity: purpose, lawful basis, data categories, recipients, retention, transfers, security measures. Companies under 250 employees are exempt only if processing is not regular, not high-risk, and excludes special categories — which excludes almost every SaaS or e-commerce operator. See our GDPR Article 30 data model.

2. Assign a lawful basis to each activity

Article 6 lists six bases: consent, contract, legal obligation, vital interests, public task, legitimate interest. Marketing analytics, profiling, and tracking typically require either consent or a documented LIA (legitimate interest assessment). For special categories (Article 9), add an explicit Article 9(2) basis.

3. Run DPIAs for high-risk processing

Article 35 requires a Data Protection Impact Assessment when processing is likely to result in high risk. EDPB Guidelines WP248rev.01 list nine triggering criteria; meeting two usually requires a DPIA. AI scoring, behavioural advertising, biometric ID, and large-scale health data always qualify.

4. Govern your processors (Article 28)

Every vendor that processes personal data on your behalf needs a signed Article 28 DPA. Standard Contractual Clauses are no longer enough on their own — the DPA must specify sub-processors, security measures, audit rights, and breach notification timelines.

5. Map and lawfully justify international transfers

After Schrems II (C-311/18), every transfer outside the EEA requires either an adequacy decision, Standard Contractual Clauses + Transfer Impact Assessment, or BCRs. The EU-U.S. Data Privacy Framework covers DPF-certified US recipients only.

6. Build a 72-hour breach response capability

Article 33 imposes a 72-hour notification to the supervisory authority for breaches likely to affect rights and freedoms. See our GDPR data breach notification guide. Article 34 adds direct notification to data subjects for high-risk breaches.

7. Operationalise data subject rights

Articles 15-22 give individuals eight rights: access, rectification, erasure, restriction, portability, objection, no automated decision, withdraw consent. Response window: one month (extendable to three for complex cases). See our DSAR playbook.

8. Define retention and storage limits

Article 5(1)(e) — storage limitation — requires deletion or anonymisation when the purpose is fulfilled. Document retention rules per data category in a written schedule; automate purges.

9. Implement Article 32 security measures

State-of-the-art technical and organisational measures: encryption at rest and in transit, pseudonymisation, access controls, MFA, backups with integrity tests, vulnerability management, incident response procedures. EDPB Guidelines 9/2022 detail breach notification thresholds.

10. Train staff and assign a DPO if required

DPO mandatory if: public authority, core activities require regular and systematic monitoring at scale, or large-scale special category processing. See our GDPR Article 39 DPO tasks. Annual training is a baseline expectation in DPA guidance.

11. Audit and update annually

EDPB Guidelines 1/2024 on accountability stress documented annual review. Track regulatory updates: EU AI Act phasing (high-risk Aug 2026), NIS2 transposition, DPF adequacy review (Oct 2026).

12. Tooling

Legiscope automates the 11 deliverables: ROPA generation, processor register, DPIA workflow, breach 72-hour timer, DSAR pipeline, retention automation. Reduces compliance programme from 18 months to under 90 days.

FAQ

What is the GDPR compliance guide for 2026?

A documented programme covering Article 30 ROPA, Article 6 lawful bases, Article 35 DPIAs, Article 28 processor governance, Schrems II transfers, Article 33 breach response within 72 hours, data subject rights workflow, retention schedule, Article 32 security, training, and annual audit.

How long does GDPR compliance take?

For a mid-size SaaS: 6-12 months with internal effort, 60-90 days with tooling. Programme maintenance is continuous.

What are the biggest GDPR fines in 2025?

TikTok €530M (Irish DPC, May 2025) for Chinese transfers, Uber €290M (Dutch DPA), and multiple Meta and Amazon decisions. Cumulative EEA fines exceeded €2.1B in 2025.

Is GDPR compliance mandatory for non-EU companies?

Yes if they offer goods/services to EU residents or monitor their behaviour (Article 3). See our GDPR Article 3 territorial scope guide.

What’s the minimum GDPR compliance deliverable list?

ROPA, lawful basis register, signed DPAs with processors, privacy notice, DSAR procedure, breach response procedure, security measures. Anything less invites Article 83 sanctions.