Home
Resources

GDPR Compliance Deepdive

Framework Deepdive
GDPR Compliance Deepdive

Summary

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6

1. Overview

What GDPR Is

Regulation (EU) 2016/679, the General Data Protection Regulation, is the European Union's omnibus data protection law. It applies extraterritorially to any organization that offers goods or services to data subjects in the EU, monitors their behavior, or processes personal data in the context of an establishment in the Union. Authoritative information including the consolidated text, recitals, and EDPB guidelines is published at gdpr-info.eu and at edpb.europa.eu. The UK GDPR mirrors the EU regulation post-Brexit and is supervised by the ICO.

Who It Applies To

  • Controllers — determine the purposes and means of processing. Heaviest obligation set.
  • Joint controllers — jointly determine purposes and means; must agree responsibilities under Article 26.
  • Processors — process personal data on behalf of a controller. Direct obligations under GDPR plus contractual obligations under Article 28.
  • Sub-processors — engaged by processors with documented controller authorization.

Outcome

GDPR is not certifiable in a formal sense (Article 42 certification mechanisms exist but adoption is limited; ISO 27701 is the practical international standard mapped to GDPR). Compliance is demonstrated through an operational program: documented lawful basis, records of processing activities, executed Article 28 contracts, transfer safeguards, breach response readiness, and an accountable governance structure. Maximum administrative fines under Article 83 are €20 million or 4 percent of worldwide annual turnover, whichever is higher, for the most serious infringements; €10 million or 2 percent for other infringements.

Security Consultants supports GDPR programs through the GDPR compliance service, typically combined with ISO 27701 for an internationally recognized PIMS, or with ISO 27001 for the broader ISMS foundation.

2. Scope & Applicability

Territorial Scope (Article 3)

  • Processing in the context of activities of an establishment in the Union
  • Processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the activities relate to (a) offering goods or services to data subjects in the Union, or (b) monitoring of their behavior within the Union
  • Processing where Member State law applies by virtue of public international law

Material Scope (Article 2)

GDPR applies to wholly or partly automated processing of personal data, and to non-automated processing that forms part of a filing system. Excluded: processing for purely personal or household activity; processing by competent authorities for law enforcement under Directive 2016/680.

Personal Data and Special Categories

  • Personal data (Article 4(1)): any information relating to an identified or identifiable natural person
  • Special categories (Article 9): racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, data concerning sex life or sexual orientation. Processing prohibited unless one of the Article 9(2) conditions applies (explicit consent, employment law, vital interests, public interest, etc.).
  • Criminal convictions and offenses (Article 10): additional restrictions

Controller / Processor Distinction

The factual control over purposes and means determines the role, not the contract label. EDPB Guidelines 07/2020 on the concepts of controller and processor give detailed criteria. Misclassification is a frequent finding and a source of breach notification confusion.

Cross-Border Transfers (Chapter V)

Personal data may only be transferred outside the European Economic Area where one of the Chapter V mechanisms applies: an adequacy decision (Article 45); appropriate safeguards (Article 46) including Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), approved certification, or codes of conduct; derogations for specific situations (Article 49).

  • EU-US Data Privacy Framework — adopted in July 2023 as the successor to Privacy Shield. Provides adequacy for transfers to certified US organizations. Litigation continues; current status should be verified at the time of any transfer mapping.
  • Schrems II — the CJEU's 2020 judgment (C-311/18) invalidated Privacy Shield and imposed requirements for a Transfer Impact Assessment (TIA) on transfers under SCCs to third countries with intelligence laws conflicting with EU fundamental rights. The EU-US DPF addresses some Schrems II concerns; TIAs remain required for non-DPF transfers and for transfers to countries beyond the United States.
  • 2021 SCCs — the modular SCCs adopted by Commission Implementing Decision 2021/914 are the current Article 46 standard contractual clauses.

3. Core Principles

Article 5 — Principles Relating to Processing

  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability — the controller must be able to demonstrate compliance

Article 6 — Lawful Basis

  • (a) Consent
  • (b) Contract performance
  • (c) Legal obligation
  • (d) Vital interests
  • (e) Public interest / official authority
  • (f) Legitimate interests (with documented Legitimate Interests Assessment)

Article 7 — Conditions for Consent

Where consent is the lawful basis, it must be freely given, specific, informed, unambiguous, and demonstrable. It must be as easy to withdraw as to give. Pre-ticked boxes do not constitute consent (EDPB Guidelines 05/2020).

Articles 12–23 — Data Subject Rights

  • Information (Articles 13, 14)
  • Access (Article 15)
  • Rectification (Article 16)
  • Erasure / right to be forgotten (Article 17)
  • Restriction (Article 18)
  • Data portability (Article 20)
  • Object (Article 21) including objecting to direct marketing
  • Not to be subject to a decision based solely on automated processing including profiling (Article 22)

Response timeline: without undue delay and at the latest within one month, extendable by two further months for complex requests.

Article 25 — Data Protection by Design and by Default

Technical and organizational measures must implement the principles effectively. Default settings must process only the personal data necessary for each specific purpose.

Article 28 — Processor

Mandatory written contract elements: subject matter, duration, nature, purpose, type of personal data, categories of data subjects, controller obligations and rights. Eight specific processor obligations are required including documented instructions, confidentiality, security, sub-processor authorization, assistance with data subject rights, breach notification, deletion / return, and audit cooperation.

4. Control Breakdown

Article 30 — Records of Processing Activities (ROPA)

Controller ROPA: name and contact details of controller and DPO; purposes; categories of data subjects and personal data; categories of recipients; transfers and safeguards; envisaged retention periods; technical and organizational measures.
Processor ROPA: name and contact details of processor and DPO; categories of processing on behalf of each controller; transfers; technical and organizational measures.
Evidence: ROPA spreadsheet or tool; reviewed at least annually and on material change.

Article 32 — Security of Processing

Implement appropriate technical and organizational measures considering the state of the art, costs, risk to natural persons. The article names pseudonymization, encryption, confidentiality, integrity, availability, resilience, restoration after incident, and regular testing of effectiveness as illustrative measures. An ISO 27001 ISMS is the most defensible technical and organizational measures framework. See our ISO 27001 service.

Articles 33–34 — Breach Notification

Article 33: notify the supervisory authority within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result in a risk to rights and freedoms.
Article 34: notify the data subject without undue delay where the breach is likely to result in a high risk.
Article 33(3) content: nature of breach, categories and approximate number of subjects and records, contact point, likely consequences, measures taken or proposed.
Evidence: incident response plan with the 72-hour clock workflow; breach register; communication templates.

Article 35 — Data Protection Impact Assessment (DPIA)

Required where processing is likely to result in a high risk, particularly: systematic and extensive profiling with legal effects; large-scale special-category processing; systematic monitoring of publicly accessible areas. Each Member State supervisory authority publishes lists of processing requiring or not requiring a DPIA.
Evidence: DPIA template, completed DPIAs for high-risk processing, prior consultation records (Article 36) where residual risk remains high.

Article 37 — Data Protection Officer (DPO)

Required where: processing by a public authority; core activities require regular and systematic monitoring of data subjects on a large scale; core activities are large-scale processing of special-category data or data on criminal convictions.
DPO must report to the highest level of management, operate independently, and have expert knowledge.
Evidence: DPO designation, contact details published, reporting line documented.

Articles 44–49 — Cross-Border Transfers

Article 46 safeguards including SCCs and BCRs require a documented Transfer Impact Assessment (TIA) post-Schrems II.
Article 47: BCRs approved by the supervisory authority for multinational groups.
Article 49: derogations — narrow and not for systematic transfers.
Evidence: Transfer register, SCCs (2021 modular form), TIAs, adequacy / DPF certification status.

Articles 13–14 and 15–22 — Data Subject Rights Operations

  • Article 13 / 14 notices (privacy notice content) provided at the point of collection
  • Access requests fulfilled within one month, extendable by two further months
  • Identity verification proportionate to the risk; cannot be used as a barrier
  • Refusal must be reasoned and informs the subject of the right to complain to the supervisory authority and to seek a judicial remedy

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

  • Records of Processing Activities (Article 30)
  • Privacy Notice / Article 13 and 14 information
  • Lawful Basis Register including Legitimate Interests Assessments where Article 6(1)(f) is relied on
  • Data Protection Policy and supporting policies
  • Data Subject Rights Procedure
  • Personal Data Breach Procedure with 72-hour workflow
  • DPIA Template and completed DPIAs for high-risk processing
  • Processor / Controller Agreements (Article 28 / Article 26)
  • Transfer Register with SCCs and TIAs
  • Vendor Inventory with Article 28 / Article 26 agreement status
  • DPO Designation (where required)
  • Cookie and Consent Banner configuration with documented consent records
  • Retention Schedule

Mandatory Processes

  • Data subject rights handling within statutory timelines
  • Breach detection, assessment, and 72-hour notification readiness
  • DPIA triggered at design stage for new processing
  • Vendor onboarding with Article 28 contract execution before any processing begins
  • Annual ROPA review and material-change updates
  • Annual training program for personnel handling personal data
  • Periodic review of consent records (where consent is the lawful basis)

Technical Controls

  • Encryption in transit and at rest where appropriate to risk
  • Pseudonymization where the processing purpose permits
  • Access control including MFA on systems holding personal data
  • Logging and monitoring sufficient to detect breach
  • Backup and restoration of personal data
  • Cookie banner with non-essential categories defaulted off and granular consent

6. Technical Implementation Guidance

Data Mapping

  • Build the ROPA from a data-mapping exercise covering systems, suppliers, categories of data subjects, lawful basis, retention, and transfers
  • Use the ROPA to derive privacy notice content, DPIA triggers, transfer assessments, and vendor inventory
  • Refresh annually and on material change

Lawful Basis

  • Document the lawful basis for each processing operation in the ROPA
  • For Article 6(1)(f), prepare a Legitimate Interests Assessment
  • For Article 9 special-category data, document the Article 9(2) condition relied on
  • For consent, implement granular, demonstrable, withdrawable consent flows

Privacy by Design

  • Embed DPIAs in product development for new features touching personal data
  • Default settings minimize personal data processing
  • Engineering teams trained on data minimization and storage limitation

Vendor and Transfer Management

  • Article 28 contract executed before any processing
  • SCC modules selected per the controller / processor / sub-processor relationship and the data flow direction
  • TIA documented for each non-adequate jurisdiction including assessment of local law, public authority access, technical and organizational measures, and supplementary measures (encryption at the controller side, pseudonymization, contractual measures)
  • EU-US DPF certification verified for relevant US recipients

Breach Readiness

  • Incident response plan with explicit GDPR breach assessment
  • Decision tree for Article 33 supervisory authority notification, Article 34 data subject notification, and Article 33(5) internal documentation only
  • Rehearsed 72-hour clock workflow including out-of-hours coverage
  • Communication templates per audience (supervisory authority, data subjects, customers, internal)

Data Subject Rights

  • Centralized request intake
  • Identity verification proportionate to risk
  • Workflow targeting 20 calendar days for completion to allow review margin against the one-month statutory clock
  • Quality assurance on access request output including redaction of third-party data

7. Policy & Procedure Requirements

  • Data Protection Policy
  • Privacy Notice (external)
  • Internal Privacy Policy and Employee Privacy Notice
  • Lawful Basis and Legitimate Interests Assessment Procedure
  • Data Subject Rights Procedure
  • Personal Data Breach Response Procedure
  • DPIA Procedure and Template
  • Cookie and Consent Management Procedure
  • International Transfer Procedure with TIA template
  • Retention Schedule
  • Vendor Privacy Risk Procedure
  • Training Program for personnel handling personal data
  • DPO Charter (where DPO is required)
  • ROPA Maintenance Procedure

For organizations also pursuing ISO 27701 or ISO 27001, most of these policies map to the PIMS extension and the ISMS, with privacy-specific extensions. See our ISO 27701 service.

8. Audit Evidence & Verification

GDPR supervisory authority investigations focus on documented accountability. The ICO accountability framework and the CNIL referentiels are widely used reference points. Customer due diligence on B2B processors typically asks for the documentation listed below as part of the vendor onboarding process.

Typical Evidence Categories

  • Records of Processing Activities
  • Privacy notices
  • Lawful basis register and LIA documentation
  • Data subject rights register with response timing
  • Breach register with assessments and notifications
  • DPIA register and completed DPIAs
  • Vendor inventory with Article 28 agreements, SCCs, and TIAs
  • Transfer register with adequacy / DPF status
  • Training completion records
  • DPO designation and reporting line documentation

Common Remediation Items

  • ROPA absent or stale
  • Article 28 contracts missing for vendors that handle personal data
  • TIAs missing for non-adequate transfers
  • Cookie banner that does not default non-essential categories to off (a common DPA enforcement target)
  • Privacy notice that does not match actual processing (lawful basis, retention, recipients)
  • DPIA not performed for processing that triggers Article 35
  • Breach response not exercised; uncertain 72-hour workflow

9. Implementation Timeline Considerations

Typical Duration

  • Processor / B2B SaaS readiness (with mature SOC 2 / ISO 27001 base): 3–6 months
  • Controller program build-out: 6–12 months including ROPA, DPIA program, data subject rights operations, vendor remediation
  • Multinational with BCR ambition: 18–36 months for BCR approval

Milestones

  • Data mapping and ROPA
  • Privacy notice and lawful basis articulation
  • Vendor inventory and Article 28 remediation
  • Transfer register and TIA program
  • DPIA program and triggers integrated with product development
  • Data subject rights operations
  • Breach response plan and rehearsal
  • Training rollout
  • DPO appointment (where required)
  • Independent assurance (ISO 27701 certification) where commercially valuable

10. Ongoing BAU Requirements

  • ROPA reviewed at least annually and on material change
  • DPIA triggered at the design stage for new high-risk processing
  • Data subject rights handled within statutory timelines
  • Breach detection and 72-hour notification readiness
  • Vendor inventory reviewed periodically with Article 28 renewal tracking
  • Transfer register and TIAs refreshed annually and on third-country legal changes
  • Annual privacy training plus role-specific training for personnel handling personal data
  • Privacy notice maintained current with processing reality
  • Cookie consent metrics monitored

11. Maturity Levels

Minimum Compliance

  • ROPA in place
  • Privacy notice published
  • Article 28 agreements executed
  • Breach response plan documented
  • Manual evidence collection

Intermediate

  • DPIA program integrated with product development
  • Centralized data subject rights workflow with SLA tracking
  • TIA program covering all non-adequate transfers
  • Cookie consent platform with documented consent records
  • ISO 27701 PIMS in operation

Advanced

  • Integrated ISO 27001, ISO 27701, and GDPR evidence library
  • Automated ROPA maintenance through data catalog integration
  • BCR approved for intra-group transfers
  • Privacy engineering embedded in CI/CD with policy as code
  • Continuous TIA monitoring with third-country legal-change alerts

12. FAQs

Does GDPR apply to us if we are not in the EU?

Yes, where you offer goods or services to data subjects in the EU or monitor their behavior in the EU, regardless of where you are established. Article 27 requires non-EU controllers and processors in scope to designate a representative in the Union (with limited exceptions).

Are we a controller or a processor?

The factual control over purposes and means determines the role, not the label in the contract. EDPB Guidelines 07/2020 set out detailed criteria. For B2B SaaS, the most common pattern is processor for customer data and controller for end-user account data, marketing, and operational telemetry.

Do we need a DPO?

Yes if you are a public authority, your core activities require regular and systematic monitoring of data subjects on a large scale, or your core activities involve large-scale processing of special-category data or criminal-conviction data. The Article 29 Working Party guidance (WP 243 rev.01) defines the criteria. Many organizations appoint a DPO voluntarily.

How does the 72-hour breach clock work?

From the moment the controller becomes aware that a personal data breach has occurred (Article 33(1)). Awareness means reasonable certainty that an incident has occurred and is a personal data breach. The clock continues across weekends and holidays. Notification can be made in stages where information is not yet available (Article 33(4)).

What about cross-border transfers to the US?

The EU-US Data Privacy Framework (adopted July 2023) provides adequacy for transfers to certified US recipients. Verify the recipient's DPF certification at dataprivacyframework.gov. For non-DPF transfers, rely on 2021 SCCs with a Transfer Impact Assessment.

What is a Transfer Impact Assessment?

Following Schrems II (CJEU C-311/18), controllers transferring under Article 46 safeguards must assess whether the third country's law and practice prevent the safeguard from being effective. The EDPB Recommendations 01/2020 outline a six-step methodology. Document the assessment for every transfer to a non-adequate country.

Do we need explicit consent for marketing?

Consent is one option; legitimate interest with an opt-out is another, subject to the ePrivacy Directive (and member-state implementation) which often requires consent for electronic communications. The right to object to direct marketing under Article 21(2) is absolute.

How does GDPR interact with the AI Act?

The AI Act applies to AI systems; GDPR applies to processing of personal data. They operate in parallel. Article 10(5) of the AI Act permits processing of special-category data for bias correction under strict conditions. A DPIA under GDPR and an FRIA under the AI Act should be coordinated. See our EU AI Act service.

What is the relationship to ISO 27701?

ISO 27701 is a Privacy Information Management System extending ISO 27001 with controller-specific (Annex A) and processor-specific (Annex B) controls mapped to GDPR articles. Certification provides independent, internationally recognized evidence of an accountable privacy program. See our ISO 27701 service.

What does GDPR enforcement look like in practice?

Lead supervisory authority handles cross-border matters via the One-Stop-Shop mechanism. Investigations may be triggered by complaint, breach notification, or own-initiative. Cooperation with the Article 60 mechanism is required. Fines have escalated materially since 2020, with multi-hundred-million-Euro fines now routine for the largest infringements.

How does UK GDPR differ from EU GDPR?

Substantively very similar. The ICO supervises in the UK. The Data (Use and Access) Act 2025 introduced certain reforms post-Brexit; verify current text at ico.org.uk before relying on this comparison. For UK–EU transfers the UK is currently subject to an EU adequacy decision, but this is reviewable.

How does GDPR relate to CCPA / CPRA and other US state privacy laws?

US state laws (California CCPA / CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, plus the 2024–2026 wave including Texas TDPSA, Florida FDBR, Oregon OCPA, Montana MTCDPA, Delaware DPDPA, Iowa ICDPA, New Hampshire NHPA, New Jersey NJDPA, Tennessee TIPA, Indiana ICDPA, Minnesota MCDPA, Maryland MODPA, Rhode Island RIDTPA) build on GDPR concepts but use different terminology (controller → "business" or "controller"; data subject → "consumer"). A single privacy program can serve both with state-specific extensions.

13. Summary

GDPR is the most consequential general data protection law globally and the de facto template for privacy regulation worldwide. Compliance is operational — documented lawful basis, comprehensive ROPA, executed Article 28 contracts, transfer safeguards with TIAs, breach response readiness, and an accountable governance structure including a DPO where required. Most multinational programs build the foundation on ISO 27701 to provide internationally recognized assurance and to ride the ISO 27001 ISMS for Article 32 security of processing.

To scope an engagement, book a call from the GDPR compliance service page, or talk to us about combining GDPR with ISO 27701, ISO 27001, or EU AI Act for an integrated privacy and security program.

Share this post

Related articles

Framework Deepdive

ISO/IEC 42001:2023 AIMS Deepdive

Read article
ISO/IEC 42001:2023 AIMS Deepdive cover
Framework Deepdive

NIS 2 Compliance Deepdive

Read article
NIS 2 Compliance Deepdive cover
Framework Deepdive

DORA Compliance Deepdive

Read article
DORA Compliance Deepdive cover