Information Privacy is increasingly important for IT Governance. Prior research has identified several actions with which organizations can govern information privacy. Internet, mobility, big data and analytics is, however, creating more data and also new threats. This has led the European Union to improve data protection legislation by introducing the General Data Protection Regulation (GDPR). In this study, a multiple case study was performed to find actions that organisations take to comply with the GDPR. This study has identified 33 actions that organisations take to prepare for the GDPR. 21 of these actions were not discussed in previous literature analysed. Some of these “new” actions have to do with the change management project the GDPR requires. More interestingly, GDPR specific actions are found that show how Europe's legal climate changes organizational privacy governance through DPOs, DPIAs and other measures. For researchers, this paper extends findings on how organisations are responding to privacy issues and regulations. Practitioners can use the results to compare their own actions with those identified in this study. This was, however, only one study conducted in nine organizations. Further research is needed to understand how the GDPR and privacy governance will continue to evolve and mature. © The Authors, 2018. All Rights Reserved.