General Data Protection Regulation (GDPR) compliance

Key rights for data subjects

Subject access

Erasure ('Right to be forgotten')

Data portability


Restriction of processing

To object (including to marketing and to profiling)

Preventdirect marketing

Lawful and transparent

Principle 1:  Process lawfully, fairly and in a transparent manner. Enhanced protections exist for "special categories of personal data" (sensitive personal data) which requires consent be "explicit" if relied upon. 

Consent means "any freely given, specific, informed and unambiguousindication of the data subjects wishes by which he, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

  • Higher consent threshold –consent must be verifiable, distinguishable from other matters, intelligible and easily accessible
  • Data subjects may withdraw consent at any time –may not be the best basis for processing, consider also legitimate interests (for non-special data and where balanced with data subject interests), contractual and legal obligations, vital interests.

Transparency: providing required information elements e.g. in privacy policies and when obtaining consent.

Accountability -risk based compliance

Maintain records of processing activities

Privacy by design and default

Data protection impact assessments

  • prior consultation with supervisory authority if high risk

More requirements when engaging/contracting with data processors

DPO appointment if core activities involve on a large scale

  • regular or systematic monitoring of data subjects
  • processing sensitive personal data


Personal data breach notification

  • to supervisory authority – where feasible, not later than 72 hours after having become aware (unless unlikely to a risk to individuals
  • to the subject – where a high risk to individuals

Policies, training and implementation

Direct obligations for Processors

Processing must be governed by a contract with the controller

Require authorisation of Controller to subcontract

Data protection obligations must be flowed down to any subcontractors

Act only under instructions of the data controller

Maintain a record of processing activities carried out for a controller

Policies, documentation

Notify the controller of a personal data breach without undue delay

DPO appointment if core activities

  • require regular or systematic monitoring of data subjects on a large scale
  • consist of processing sensitive personal data on a large scale


Breach reporting to client –without undue delay

International transfers

General prohibition on personal data transfers outside the EEA is maintained