The Privacy Control Framework: Operationalising GDPR

This guide is written for senior leaders responsible for privacy, data governance and information risk. Chief Privacy Officers, Data Protection Officers, General Counsel, Chief Information Security Officers, Chief Data Officers, and the audit, risk and board committee members who oversee them.

By the end of it, you will have a structured way to assess where your privacy programme sits against current regulator expectations, identify the operating weaknesses that turn compliant organisations into enforcement targets, and adopt a five-domain control framework that joins privacy up with cyber risk, third party risk and enterprise governance.

1. Executive summary
2. The privacy landscape in 2026
3. Why GDPR programmes fail after initial compliance
4. The Privacy Control Framework
5. Privacy risk in modern data ecosystems
6. Embedding privacy into enterprise risk management
7. Technology as a privacy governance enabler
8. Measuring privacy programme success
9. The future of privacy governance
10. Conclusion

GDPR is eight years into enforcement. The question has changed.

In 2018, privacy leaders were asked whether their organisations were compliant. In 2026, they are asked something harder. Can the programme operate at scale as the data ecosystem keeps growing. Can controls keep up with cloud sprawl, new AI systems, longer sub processor chains, and the regulatory agenda building around them.

Enforcement has not softened. According to DLA Piper's GDPR Fines and Data Breach Survey, January 2026, European supervisory authorities issued around €1.2 billion in GDPR fines during 2025. The CMS GDPR Enforcement Tracker puts the cumulative total since 2018 past €7.1 billion across more than 2,800 enforcement actions, with over 60 per cent of that cumulative value landing since January 2023. Regulators are no longer focused only on big tech. Financial services, healthcare, telecoms and the public sector are now firmly in scope.

The organisations that will manage the next three years well are the ones that have stopped treating privacy as a documentation exercise and started treating it as an operational control framework. Joined up with cyber risk, third party risk and enterprise governance. Measured. Reported to the board. Operated continuously.

This guide sets out a Privacy Control Framework built around five operating domains: data visibility, risk assessment, governance and accountability, operational controls, and continuous monitoring. It is designed for senior leaders who already know the regulation and now need a model for running it at scale.

Three forces are reshaping privacy governance. None of them are new. All of them have compounded.

Enforcement is sustained and widening

DLA Piper's January 2026 survey reports that regulators issued around €1.2 billion in GDPR fines in 2025, a figure closely matching 2024. Ireland's Data Protection Commission alone has now issued €4.04 billion in cumulative fines since GDPR took effect, driven largely by the international data transfer cases concentrated in Dublin.

According to the CMS Enforcement Tracker, Spain leads on volume, with 932 fines recorded, up 130 in the past year alone. The common causes have not changed much: insufficient legal basis for processing, transparency failures, and inadequate security measures under GDPR Article 32. What has changed is who receives them. Media and telecoms remain heavily exposed. Finance, healthcare, energy and the public sector are now routinely fined too. DLA Piper also reports that personal data breach notifications grew 22 per cent year on year, averaging 443 across Europe every day.

The EU AI Act has arrived alongside GDPR

General Purpose AI model obligations under the EU AI Act, Regulation (EU) 2024/1689, became applicable on 2 August 2025. According to the Future of Life Institute's AI Act implementation timeline, the Act's high risk obligations under Annex III, and the enforcement powers of the AI Office, apply from 2 August 2026, with the remaining high risk obligations under Annex I following on 2 August 2027.

Wherever an AI system processes personal data, the two regimes overlap. GDPR covers the lawful basis, transparency, data subject rights and security. The AI Act adds obligations around risk management, documentation, human oversight, and post market monitoring for high risk systems. Treating them as separate programmes will create gaps and duplicate work. Treating them as one governance problem will not.

The data ecosystem has outgrown the governance designed for it

When most organisations built their first GDPR programme, the data landscape was narrower. A handful of core systems, a known set of processors, a defensible inventory. In 2026 the picture is a sprawl of SaaS platforms, managed cloud services, machine learning tooling, and vendor sub processors who have their own vendor sub processors. Data flows that were documented once have drifted.

According to IBM's Cost of a Data Breach Report 2025, the global average cost of a breach is $4.44 million, the first decline in five years, driven by faster detection and containment where it has happened. Much of the residual cost sits in the same weaknesses regulators punish: missing visibility, slow detection, unclear ownership.

The strategic implication is straightforward. The baseline that made organisations compliant in 2018 is not sufficient to keep them compliant in 2026.

Sources for this section: DLA Piper, GDPR Fines and Data Breach Survey: January 2026 · CMS, GDPR Enforcement Tracker Report 2024/2025 · EU AI Act, Regulation (EU) 2024/1689 · Future of Life Institute, EU AI Act Implementation Timeline · IBM, Cost of a Data Breach Report 2025 · GDPR, Regulation (EU) 2016/679

Most GDPR enforcement actions do not punish organisations that never tried. They punish organisations that tried once, moved on, and stopped operating the programme. Five failure patterns recur.

Drifted inventories

Records of processing activities under GDPR Article 30 were written during the 2018 readiness push, often in spreadsheets or static documents. The business moved on. New systems came in. Old systems changed purpose. The inventory did not follow. A regulator asking what personal data you hold, where it is, and why, now hits a gap.

Manual privacy operations

Data protection impact assessments tracked in shared drives. Data subject access requests handled over email. Breach logs in a workbook only one person maintains. When volumes were low this was workable. Volumes are no longer low.

The Information Commissioner's Office fined Advanced Computer Software Group £3.07 million in March 2025 after a ransomware attack compromised data belonging to 79,404 individuals. The ICO found failings against GDPR Articles 5(1)(f) and 32: multi-factor authentication had not been deployed on the breached customer account, vulnerability scanning was incomplete, and patch management was inadequate. The pattern is not missing policies. It is missing operation.

Unclear ownership

The Data Protection Officer is often the only person with a full picture. Business unit heads do not know which processing activities they own, which vendors they are responsible for, or which DPIAs they should have commissioned. Accountability under GDPR Article 24 cannot sit in one corner office.

Shadow AI and shadow SaaS

Personal data is flowing into systems the privacy team has not seen. A team trials a generative AI tool on customer records. A department signs a SaaS contract that moves employee data to a new sub processor. Each looks minor in isolation. In aggregate they become the next breach.

Privacy run as a silo

The privacy programme reports separately from cyber, separately from third party risk, and separately from enterprise risk. A single incident can breach all three. A disconnected programme responds to it three times, slowly, in three different tools.

None of these failures are dramatic. They are the quiet kind that compound quarter after quarter until a supervisory authority asks a question the programme cannot answer.

Sources for this section: ICO, Monetary Penalty Notice: Advanced Computer Software Group, March 2025 · GDPR, Regulation (EU) 2016/679

A Privacy Control Framework reframes GDPR obligations as five operating domains. Each domain has a defined purpose, a set of capabilities, and an explicit link to the wider governance programme. Together they move privacy from documentation to operation.

The framework is technology agnostic. It can be applied in financial services, healthcare, technology, or the public sector. It scales from a small privacy function to an enterprise programme. It is designed to be auditable.

Domain 1: Data visibility

Know what personal data you hold, where it lives, how it flows, and who touches it. Without this domain, every other control is theoretical. GDPR Article 30 requires records of processing activities as a minimum. Mature programmes go further.

Core capabilities:

1. Living data inventories, maintained continuously, not reconstructed annually
2. Data mapping across systems, business processes and data subjects
3. Records of processing activities aligned to GDPR Article 30
4. Sub processor and onward transfer registers with current status
5. Data classification covering special category data, children's data and financial data

Domain 2: Risk assessment

Evaluate privacy risk continuously and in proportion. The GDPR Article 35 requirement for data protection impact assessments is a baseline. Modern programmes extend it to cover AI systems, new vendors, new jurisdictions and material changes to existing processing.

Core capabilities:

1. DPIAs triggered by defined thresholds, not left to memory
2. Privacy risk scoring aligned with the enterprise risk taxonomy
3. AI impact assessments, integrated where AI processes personal data
4. Data classification tied to downstream control requirements
5. Transfer impact assessments for data leaving the jurisdiction, informed by Schrems II

Domain 3: Governance and accountability

Privacy cannot be owned by one office. GDPR Article 24 puts accountability on the controller as a whole. A governance model makes that workable.

Core capabilities:

1. Clearly assigned ownership for every processing activity and every control
2. A privacy policy framework with version control, approvals and expiry
3. Board level reporting on privacy risk, incidents and regulatory change
4. Integration with cyber, audit, third party risk and data governance committees
5. Defined decision rights when privacy risk crosses risk appetite

Domain 4: Operational controls

The controls that actually protect personal data. These are the controls a regulator inspects during a breach investigation, as the Advanced Computer Software case demonstrated.

Core capabilities:

1. Identity and access management, role based, reviewed on a cadence, with multi-factor authentication as the default
2. Encryption in transit and at rest, with key ownership understood
3. Data minimisation built into system design, not retrofitted, aligned to GDPR Article 25
4. Retention management and automated deletion, aligned with documented retention schedules
5. Consent and preference management, auditable across channels
6. Operational workflows for data subject rights, meeting the one month window set out in GDPR Article 12(3)

Domain 5: Continuous monitoring

A control that is not monitored is a control that has stopped working. Continuous monitoring is how privacy governance stays credible between audits.

Core capabilities:

1. Automated control testing with evidence captured as part of the activity
2. Incident and breach management with clocked notification workflows, meeting the 72 hour window under GDPR Article 33, operated in line with EDPB guidance on breach notification
3. Regulatory change monitoring feeding into the control library
4. Programme level metrics reported to the board
5. Supervisory authority reporting ready to run, not assembled from scratch

The five domains interlock. Data visibility feeds risk assessment. Risk assessment drives operational controls. Governance sets ownership across all of them. Continuous monitoring closes the loop. Each domain is an anchor point into the wider programme: cyber risk, third party risk, data governance and AI governance.

Sources for this section: GDPR, Regulation (EU) 2016/679 · EDPB, Guidelines 9/2022 on personal data breach notification

Three ecosystem shifts have created risks the 2018 programme was never designed to cover.

AI systems processing personal data

AI is now the most material new source of privacy risk. Three specific exposures matter most.

Training data provenance. Models trained on scraped or repurposed personal data rarely meet GDPR Article 6 lawful basis requirements without substantial work. Special category data under GDPR Article 9 raises the bar further.

Model behaviour and data subject rights. A model that has memorised training data can leak it in output. A model that makes decisions affecting individuals triggers GDPR Article 22 obligations around automated decision making. Data subject rights of access, rectification and erasure apply to outputs, not just to inputs.

AI Act overlap. From 2 August 2026, AI systems that process personal data fall under both GDPR and the EU AI Act. High risk systems carry documentation, risk management, human oversight and post market monitoring obligations that overlap directly with GDPR Articles 5, 25, 32 and 35. Running AI governance and privacy governance as separate programmes creates duplication and gaps. One programme with two lenses works better.

Cloud and SaaS platforms

Personal data now sits in hundreds of cloud services. Each service has its own controls, its own sub processors, and its own configuration choices. Tenant misconfiguration is a common root cause in breach investigations. Encryption is often available but not enabled. Key ownership is often unclear. Transfer impact assessments, required under Schrems II, are often done once during procurement and never revisited when the provider changes infrastructure.

Cloud platforms do not reduce privacy risk. They distribute it. The control framework has to follow the data.

Cross border transfers and sub processor chains

In May 2025 the Irish Data Protection Commission fined TikTok Technology Limited €530 million for unlawful transfers of EEA user data to China. The fine broke down into €485 million for infringement of GDPR Article 46(1), concerning transfers to third countries without an adequate level of protection, and €45 million for transparency failings under GDPR Article 13(1)(f). During the inquiry TikTok informed the DPC that limited EEA user data had in fact been stored on servers in China, contradicting earlier statements to the regulator.

The lessons for every organisation are not specific to TikTok. Schrems II obligations have not relaxed. Every vendor's vendor is part of the risk surface. Standard contractual clauses are necessary but not sufficient. Supplementary measures, transfer impact assessments, and continuous monitoring of sub processor changes all form part of the control framework.

Sources for this section: EU AI Act, Regulation (EU) 2024/1689 · Schrems II, Case C-311/18 (CJEU) · Irish DPC, TikTok decision (May 2025) · GDPR, Regulation (EU) 2016/679

Privacy stops being a corner office function when it uses the same risk language the rest of the business already speaks. The integration has four layers.

A shared risk register

Privacy risks scored on the same impact and likelihood scales as cyber, operational and financial risk. The board sees one register, not four. A risk that sits above appetite in privacy cannot be invisible in the enterprise view.

An integrated control library

Many privacy controls already exist in the cyber and compliance control library. Access management satisfies GDPR Article 32, ISO/IEC 27001:2022 Annex A, SOC 2 common criteria CC6, and elements of DORA operational resilience and the EU AI Act at the same time. Test the control once, map it to every obligation, evidence it once. The alternative is duplicated control testing and fatigue.

Board level reporting

Privacy metrics alongside cyber key risk indicators. Incident trends visible month on month. Regulatory change pipeline understood before it lands. Third party exposure quantified. A board that sees privacy quarterly makes different decisions from a board that hears about it when something goes wrong.

Joined up incident response

A data breach is simultaneously a privacy incident under GDPR Article 33, a cyber incident under existing security protocols, and often a vendor incident requiring third party notification. One workflow, three audiences, one audit trail.

According to IBM's Cost of a Data Breach Report 2025, the global average breach cost is $4.44 million, down from $4.88 million in 2024. This is the first annual decline in five years, attributed to faster detection and containment, often driven by integrated security and privacy operations. Silos cost money. Integration saves it.

Sources for this section: IBM, Cost of a Data Breach Report 2025 · DORA, Regulation (EU) 2022/2554 · EU AI Act, Regulation (EU) 2024/1689

The Privacy Control Framework is technology agnostic. It is not technology optional. Running data visibility, risk assessment, governance, operational controls and continuous monitoring on spreadsheets, shared drives and email is unsustainable at scale. Five enabling capabilities separate a platform that supports the framework from one that frustrates it.

Live data inventories

Automated discovery across systems. Classification aligned to regulatory categories. Live status rather than annual snapshot.

Workflow driven privacy operations

DPIAs, DSARs, breach notifications and vendor assessments run as tracked workflows with audit trails and clocked deadlines.

A shared control library

One control, multiple frameworks. Test once, satisfy GDPR, ISO 27001, SOC 2, DORA and AI Act obligations in parallel.

Continuous monitoring

Evidence captured as part of the operational activity, not retrofitted before an audit.

Regulator ready reporting

Supervisory authority submissions, board reports and assurance reports generated from the same data.

Technology amplifies whatever process maturity already exists. Stabilise the programme before scaling it. A live data inventory is the precondition for everything downstream. Run privacy operations as workflows, not as documents passed by email. Test every control once and map it to every obligation it satisfies. Continuous monitoring only creates value where the programme can act on the signals it surfaces.

Privacy maturity is earned, not asserted. Meaningful measurement sits in four categories. The metrics below are the ones that answer board level questions without needing a translator.

Coverage

How much of the estate the programme actually covers.

1. Percentage of systems with a current RoPA, refreshed within the last twelve months
2. Percentage of processing activities with assigned owners
3. Percentage of third parties with completed privacy assessments
4. Percentage of high risk processing activities covered by a DPIA
5. Percentage of AI systems processing personal data with a completed impact assessment

Responsiveness

How quickly the programme reacts when it has to.

1. Median time to fulfil a data subject access request, against the one month window in GDPR Article 12(3)
2. Median time to complete a DPIA
3. Time from breach detection to supervisory authority notification, against the 72 hour requirement in GDPR Article 33
4. Time from breach detection to affected data subject notification
5. Backlog of open privacy risks

Risk reduction

1. The outcome metrics that demonstrate the programme is working.
2. Year on year change in open privacy risks above appetite
3. Incident frequency and severity trend
4. Reduction in high risk audit findings
5. Reduction in repeat findings

Operational efficiency

The internal metrics that keep the programme sustainable.

1. Evidence collection effort per audit cycle
2. Audit preparation time
3. Control testing cadence and coverage
4. Time spent on low value administrative work

Programmes that report on all four categories have something else in common. They make better investment cases. A board approves what it can measure.

Four trends will shape the discipline over the next three years.

AI governance and privacy converge

The EU AI Act's main high risk obligations land on 2 August 2026, with a further tranche covering Annex I high risk systems following on 2 August 2027. Most high risk AI systems process personal data, bringing GDPR into every AI governance conversation. Organisations that run two programmes will find themselves repeating the same assessments, documentation and evidence. The ones running a single, joined up control framework will not.

Data sovereignty intensifies

Transfer rules have not relaxed since Schrems II. Regional cloud, localisation requirements and sovereign infrastructure are becoming operational decisions rather than theoretical ones. The €530 million TikTok fine illustrates what sustained regulatory scrutiny of transfers now looks like. Expect transfer impact assessments to move from one off exercise to continuous control.

Continuous compliance replaces point in time audits

Supervisory authorities increasingly expect live evidence rather than annual snapshots. DORA requires continuous operational resilience testing for the financial sector. NIS2, transposed into member state law with a deadline of October 2024 and enforcement now active, expects similar evidencing for essential and important entities. The audit model is shifting.

Privacy becomes a board discipline

Privacy incidents reach the board anyway. The difference is whether they reach it as crises or as known risks being managed. Standing privacy metrics, alongside cyber key risk indicators, are becoming the norm in mature programmes.

Organisations that invest in operational privacy governance now will spend less of the next three years responding to surprises and more of it making deliberate decisions.

Sources for this section: Future of Life Institute, EU AI Act Implementation Timeline · EU AI Act, Regulation (EU) 2024/1689 · Schrems II, Case C-311/18 (CJEU) · Irish DPC, TikTok decision (May 2025) · DORA, Regulation (EU) 2022/2554 · NIS2 Directive, Directive (EU) 2022/2555

The organisations that will manage privacy regulation well over the next three years will not be the ones with the most policies. They will be the ones that have operationalised privacy governance as a continuous capability, joined up with cyber risk, third party risk and enterprise governance.

The Privacy Control Framework in this guide is a model for getting there. Five operating domains. One programme. Measured, reported and connected to the rest of the risk agenda.

The framework builds in sequence. Data visibility makes risk assessment possible. Risk assessment drives proportionate controls. Governance sets ownership. Continuous monitoring closes the loop. Each element depends on the ones before it. Technology applied to a weak foundation does not create maturity. It creates faster fragmentation.

Privacy stopped being a legal question some years ago. In 2026 it is an operational discipline and a board responsibility. Treat it accordingly.

Most privacy programmes break at the same points this guide describes: drifted inventories, manual operations, unclear ownership, shadow AI and SaaS, and privacy run as a silo from cyber and third party risk.

SureCloud's Data Privacy module supports the full Privacy Control Framework. Living data inventories, DPIA and DSAR workflows, continuous control testing, and supervisory authority reporting, all on one event-sourced platform alongside Risk, Compliance, Audit, Third Party Risk Management and Business Continuity, powered by Gracie AI Agents with Personas and Skills.

Organisations using SureCloud complete data subject access requests 50 per cent faster and spend 80 per cent less time finding evidence during audits.

Benchmark your privacy programme against this framework.