This is the third in a three-part series on GDPR now. It is based on a webinar that we aired on May 27, 2026. A recording of the webinar can be found here.
In the first blog in this series, we looked at how GDPR has matured from a one-off compliance project into a live governance framework. In the second, we explored why AI has made data protection more connected, more operational and more dependent on joined-up digital governance.
The next question is a practical one. What does a regulator-ready GDPR programme look like now?
The answer is not simply more paperwork. It is the ability to explain what happened, why it happened, who made the decision and what evidence supports it.
Why this is relevant now
GDPR enforcement is becoming faster, more coordinated and more focused on governance. Cross-border cases have historically taken time, but new EU rules are designed to improve cooperation between national data protection authorities and speed up the handling of major complaints.
For organisations, that means there may be less time to gather evidence once a complaint or investigation begins.
If a regulator asks for records, DPIAs, vendor documentation, transfer assessments, breach logs, training evidence or details of AI governance, organisations need to be able to produce them quickly and confidently.
Scrambling to reconstruct events after the fact is not a strong compliance position.
Evidence is the foundation of defensibility
A regulator-ready programme is one that can evidence decisions as they were made at the time. That includes documents like records of processing, DPIAs, privacy notices, supplier due diligence, data processing agreements, and training records.
The key is not simply whether these documents exist. It is whether they are current, accurate and connected to real decision-making.
For example, if an organisation uses an AI tool to support customer complaints handling, it should be able to explain what data the system uses, whether sensitive data could be involved, how decisions are reviewed, what safeguards are in place, what supplier terms apply and how individuals are informed.
If that evidence is scattered, outdated or incomplete, the organisation may struggle to show that the risk was properly governed.
Data subject rights are becoming more complex
Data subject rights have been central to GDPR from the start, but they remain a common challenge.
Subject access requests are often time-consuming because data is spread across email, HR systems, customer platforms, chat tools, shared drives and supplier systems. AI adds another layer of complexity.
People may ask what data was used about them, whether an algorithm was involved, why a decision was made, whether they can challenge the outcome or whether their data can be corrected or deleted.
The first person to receive that request may not be a data protection specialist. It might be someone in HR, recruitment, customer support, IT or a line management role.
That is why training matters. People rarely use legal language. A rejected job applicant may ask why they did not get the role and what information was used. A customer refused a service may ask how the decision was reached. Those can still be valid data protection requests.
If staff fail to recognise them, deadlines can be missed and rights can be breached.
Supplier risk needs ongoing review
Supplier management is another area where GDPR compliance has changed significantly.
Most organisations now rely on a wide range of digital tools, including CRM systems, HR platforms, chatbots, AI copilots, analytics tools and cloud storage providers. Each one may involve personal data.
A signed data processing agreement is no longer enough on its own.
Organisations need to understand what data suppliers process, where it is stored, whether sub-processors are involved, whether data is transferred internationally, whether data may be used to train AI, what security measures apply, how breaches are reported and how data is deleted or returned.
Supplier reviews also need to continue after onboarding. Many tools now add AI features over time, sometimes without a major procurement decision. That can change the risk profile of the service.
A supplier that looked low risk two years ago may not be low risk today.
Training should reflect real behaviour
GDPR training in 2018 often focused on basic concepts like what is personal data, what is a breach, what is a subject access request and what should staff do if something goes wrong.
Those basics still matter, but training now needs to be more role-specific and scenario-based. A marketing team needs to understand consent, profiling and customer data. HR needs to understand employee records, monitoring and rights requests. IT needs to understand access controls, security, vendor risk and AI tools. Senior leaders need to understand accountability, risk ownership and regulatory exposure.
The most important risks often arise from ordinary actions. Someone uploads personal data into an unapproved AI tool. A manager keeps informal notes about an employee. A spreadsheet is shared with a supplier. A rights request is ignored because it does not use formal legal language.
Effective GDPR training should help people recognise those moments and make better decisions.
AI needs clear operational rules
As discussed in the previous blog, AI has raised the stakes for GDPR compliance. A regulator-ready programme should include practical rules for staff.
Those rules might cover when AI tools can be used, what data can be entered, which tools are approved, when personal data must be removed, how outputs should be checked and when issues must be escalated.
For example, a legal or commercial team might use AI to help draft or summarise a document. If they paste in a real contract containing names, addresses, commercial terms or sensitive details, they may create a data protection issue without realising it.
Staff need clear, usable guidance. They should know that AI can assist with work, but personal or sensitive data must not be entered into unapproved systems, and AI outputs should be treated as drafts requiring human review.
Governance needs ownership
A strong GDPR programme needs clear ownership. Someone must be responsible for ensuring risks are identified, decisions are documented and controls are reviewed.
But ownership does not mean one person or one team does everything.
Modern data protection requires collaboration between legal, compliance, IT, security, HR, procurement, product, marketing and senior leadership. Data protection risks now cut across systems, suppliers, employees, customers, AI tools and business strategy.
The role of governance is to make sure those teams are connected and that risks do not fall between them.
Test your readiness before you need it
One of the most useful things an organisation can do is test whether it could respond to a regulator tomorrow.
Could you produce your key DPIAs? Could you explain how your organisation uses AI? Could you show current supplier records? Could you evidence staff training? Could you demonstrate how rights requests are handled? Could you show who owns major privacy risks?
If the answer is unclear, that is a warning sign.
Regulator readiness is not about predicting every possible investigation. It is about building a programme that can withstand scrutiny because the evidence, ownership and decision-making are already in place.
GDPR has entered a more mature and demanding phase. The organisations that manage it well will be those that understand their data, keep risk assessments live, train people properly, review suppliers regularly and document decisions as they happen.
The goal is not perfection. It is credible, evidence-based, risk-aware compliance. By the time a regulator asks the question, it is too late to start building the answer.
