It is now more than three years since the General Data Protection Regulation (GDPR) entered into force on May 25th, 2016. It was decided that enforcement of the GDPR would not begin until 25th May 2018. Organisations which process personal information (data controllers) have had a long lead-in period to prepare for the GDPR. Organisations which have not used the two-year period wisely will likely face greater punishment should they be subject to regulatory action. This bulletin will discuss what are arguably the minimum requirements of the GDPR to allow organisations which process personal information to benchmark their current compliance.