The three-step guide to GDPR process compliance