Storing Data in Accordance with GDPR

In This Article

Your Responsibility When Holding Personal Data

GDPR stands for General Data Protection Regulation. It is a set of regulations implemented by the European Union (EU) in May 2018 to enhance the protection of personal data of EU citizens. The GDPR is applicable to all organizations, regardless of their location, that process personal data of individuals within the EU.

The main aim of GDPR is to ensure that individuals have more control over their personal data, and that organizations are transparent about how they collect, store, and use such data. GDPR also gives individuals the right to access, correct, and delete their personal data held by organizations.

Organizations that fail to comply with GDPR can be fined up to €20 million or 4% of their annual global revenue, whichever is higher. This has led many organizations to take data privacy and protection more seriously, and to implement new policies and procedures to ensure compliance with GDPR.

GDPR Compliance

Ensuring GDPR compliance involves a comprehensive approach that encompasses various aspects of data handling and protection. Here’s a more detailed step-by-step guide:

  1. Understand Applicability:

    • Determine whether your organization is subject to GDPR based on the location of data subjects (EU citizens) you process data about.


  1. Data Mapping and Audit:

    • Identify and document all the personal data your organization processes, including what data you collect, where it’s stored, who has access, and how it’s used.

  2. Legal Basis for Processing:

    • Establish a lawful basis for processing personal data. Common legal bases include consent, contract fulfillment, legal obligation, vital interests, public task, and legitimate interests.

  3. Consent Management:

    • If relying on consent, ensure that it’s freely given, specific, informed, and unambiguous. Obtain explicit consent when processing sensitive data.

  4. Transparency and Privacy Notices:

    • Provide clear and concise privacy notices that explain how you collect, use, and share personal data. Inform individuals about their rights under GDPR.

  5. Individual Rights:

    • Implement processes to facilitate the exercise of data subjects’ rights, including access, rectification, erasure, restriction, data portability, and objection.

  6. Data Security:

    • Implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. This may include encryption, access controls, regular security assessments, and incident response plans.

  7. Data Protection Impact Assessments (DPIAs):

    • Conduct DPIAs for high-risk processing activities to assess potential impacts on data subjects’ privacy. Implement necessary mitigations based on the assessment.

  8. Data Breach Management:

    • Develop a data breach response plan outlining the steps to take in the event of a data breach. Report significant breaches to the relevant supervisory authority within 72 hours of discovery.

  9. Processor Agreements:

    • If you share data with third-party processors, establish GDPR-compliant data processing agreements that outline each party’s responsibilities and obligations.

  10. International Data Transfers:

    • If transferring data outside the EU/EEA, ensure the destination country offers adequate data protection or implement appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

  11. Staff Training and Awareness:

    • Train your employees on GDPR principles, processes, and best practices for handling personal data.

  12. Document Processes and Policies:

    • Document all GDPR-related processes and policies, including data protection policies, consent forms, privacy impact assessments, and breach notification procedures.

  13. Regular Compliance Review:

    • Regularly review and update your GDPR compliance efforts to ensure ongoing adherence to regulations and evolving best practices.

  14. Designate a Data Protection Officer (DPO):

    • If required by GDPR, appoint a DPO to oversee data protection efforts and act as a point of contact for data subjects and supervisory authorities.

  15. Stay Informed:

    • Keep up to date with changes in GDPR regulations and guidance provided by supervisory authorities.

Remember that GDPR compliance is an ongoing process, and it’s essential to embed privacy and data protection into your organization’s culture and operations. If in doubt, seek legal counsel or consult with privacy experts to ensure that your practices align with GDPR requirements.

Integrating Technology Tips:
More on Cyber-Security

GDPR is a specific sub-topic within the topic of Cyber-Security. Our article, creating Cyber-Security policy covers a variety of other sub-topics.

For further information on Cyber-Security as a whole please visit our Security page below.

More Articles