Contents
🔐 GDPR: A Guide for Cybersecurity and Compliance Professionals
The General Data Protection Regulation (GDPR) is a landmark data privacy law that reshaped how organisations handle personal data. This page explains what GDPR is, why it was introduced, who it affects, and how it can be implemented effectively.
📘 What Is GDPR?
The General Data Protection Regulation (EU) 2016/679 is a European Union law that governs how organisations collect, process, and protect the personal data of individuals.
- Came into force: 25 May 2018
- Applies to: Any organisation handling personal data of EU/EEA residents, regardless of the company’s location
- Main goal: To give individuals control over their personal data and to harmonise data protection laws across the EU
🧭 Why Does GDPR Exist?
GDPR was introduced to:
- Protect personal data in an era of digital transformation and global data exchange
- Increase transparency and accountability from companies handling user data
- Strengthen trust between organisations and individuals
- Standardise data protection laws across all EU member states
👥 Who Does GDPR Affect?
GDPR applies to:
🏢 Organisations:
- EU-based companies, regardless of where data processing occurs
- Non-EU companies that offer goods/services to or monitor behaviour of EU residents (e.g. tracking user behaviour with cookies)
🙋 Individuals:
- EU and EEA residents whose personal data is collected, stored, or processed
📋 Key Rights for Individuals
GDPR gives individuals eight key rights, including:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making and profiling
⚙️ How to Implement GDPR in Your Organisation
Implementing GDPR requires both technical and organisational measures. Below is a high-level checklist to get started:
✅ 1. Data Mapping
- Identify what personal data is collected, where it’s stored, and how it’s processed
- Classify data according to sensitivity
✅ 2. Legal Basis for Processing
- Determine the lawful basis (e.g. consent, contract, legal obligation) for each data processing activity
✅ 3. Privacy Policies
- Ensure clear and accessible privacy notices are in place for users and employees
✅ 4. Security Controls
- Implement encryption, access control, data minimisation, and secure data storage
- Use logging and monitoring (e.g. AWS CloudTrail, Splunk) to detect unauthorised access
✅ 5. Subject Rights Processes
- Develop procedures for handling access requests, rectification, erasure, and data portability
✅ 6. Data Breach Readiness
- Define a breach response plan and notification procedures
- Report qualifying breaches to supervisory authorities within 72 hours
✅ 7. Vendor Management
- Assess third-party processors for GDPR compliance
- Sign Data Processing Agreements (DPAs) with service providers
✅ 8. Training & Awareness
- Regularly train employees on GDPR, privacy best practices, and reporting mechanisms
✅ 9. Appoint a DPO (if required)
- A Data Protection Officer is mandatory for certain organisations, especially those processing large-scale sensitive data
🚨 Penalties for Non-Compliance
Organisations in breach of GDPR can face fines of up to:
- €20 million or
- 4% of annual global turnover – whichever is higher
🧰 Useful Tools for GDPR Compliance
- AWS Macie / Azure Purview – Discover and classify personal data
- Splunk – Monitor and audit data access
- Atlan – Manage data governance and access
- Privacy Impact Assessment (PIA) templates – Evaluate risk of data processing