We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / GDPR
European Union · EU / EEA

GDPR

The EU regulation governing the processing of personal data.

Introduction: The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (Regulation (EU) 2016/679) is the European Union's flagship data protection law. Adopted on 27 April 2016 and enforceable from 25 May 2018, it repealed the earlier Data Protection Directive 95/46/EC and established a single, directly-applicable regime across all EU and EEA member states. Unlike a directive, a regulation does not require national transposition: its articles apply of their own force, giving organisations one harmonised rulebook rather than 27 divergent national laws. For any organisation that touches the personal data of individuals in the EU or EEA, GDPR is the benchmark against which privacy maturity, lawful processing and accountability are judged.

This guide is an auditor-grade deep-dive written for privacy officers, Data Protection Officers (DPOs), CISOs, legal counsel and compliance teams who must scope, implement, assess and evidence GDPR conformity. It walks through the full text architecture (11 chapters, 99 articles, 173 recitals), the seven data-protection principles, the data-subject rights, the accountability obligations of controllers and processors, cross-border transfer mechanisms, breach-notification duties, and the supervisory-authority enforcement model. Throughout, the emphasis is on what an assessor actually verifies and the evidence they expect to see.

Copyright and source note
GDPR (Regulation (EU) 2016/679) is published in the Official Journal of the European Union. The consolidated official text is available on EUR-Lex and may be reproduced subject to the EU reproduction policy, but this guide does not reproduce the regulation verbatim. All commentary, checklists, tables and interpretations below are original work authored by CyberSigma for educational purposes and must not be treated as legal advice. Article and recital numbers are cited as factual references only. Always consult the authoritative EUR-Lex text and, where required, qualified legal counsel.

What is GDPR?

GDPR is a comprehensive, principles-based and risk-based data protection law. It regulates the processing of personal data — any information relating to an identified or identifiable natural person (the 'data subject') — by 'controllers' (who determine the purposes and means of processing) and 'processors' (who process on a controller's behalf). Processing is defined extremely broadly and includes collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure and destruction — whether automated or manual within a filing system.

The regulation rests on the principle of accountability: it is not enough to comply, an organisation must be able to demonstrate compliance. It grants individuals a robust set of enforceable rights, imposes strict conditions on consent, mandates data protection by design and by default, requires records of processing activities, obliges Data Protection Impact Assessments for high-risk processing, and enforces a 72-hour breach-notification clock. Enforcement is backed by administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher.

Key concepts and definitions (Article 4)

TermMeaning in GDPR
Personal dataAny information relating to an identified or identifiable natural person (name, ID number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity).
Special category dataData revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health, sex life or sexual orientation (Article 9).
ProcessingAny operation performed on personal data, automated or not — collection to destruction.
ControllerThe entity that alone or jointly determines the purposes and means of processing.
ProcessorThe entity that processes personal data on behalf of the controller.
Data subjectThe identified or identifiable natural person to whom the personal data relates.
PseudonymisationProcessing such that data can no longer be attributed to a subject without separately-kept additional information.
ConsentFreely given, specific, informed and unambiguous indication of the data subject's wishes by a clear affirmative action.
Supervisory authorityAn independent public authority (e.g. the ICO, CNIL, DPC) established by a member state to monitor GDPR application.

Who must comply with GDPR?

GDPR has a deliberately wide territorial scope defined by Article 3. It applies far beyond the EU's borders, capturing organisations anywhere in the world that target or monitor individuals in the Union. Understanding the three triggering tests below is the first scoping decision every organisation must make.

Applicability trigger (Article 3)ExplanationExample
Establishment in the EU/EEA (Art. 3(1))Processing in the context of the activities of an establishment of a controller or processor in the Union, regardless of where the processing occurs.A German manufacturer processing customer data on servers in the United States.
Offering goods or services (Art. 3(2)(a))A controller/processor outside the EU offering goods or services (paid or free) to data subjects in the Union.An Indian SaaS firm with a euro-priced pricing page and EU-language support targeting EU buyers.
Monitoring behaviour (Art. 3(2)(b))A controller/processor outside the EU monitoring the behaviour of data subjects insofar as it takes place within the Union.A US analytics company tracking EU website visitors via cookies for behavioural profiling.
Public international law (Art. 3(3))Where member-state law applies by virtue of public international law.An EU member state's diplomatic mission abroad.

Roles that attract specific obligations

  • Controllers — bear primary accountability for lawful processing, transparency, rights fulfilment and security.
  • Processors — have direct statutory obligations (records, security, breach notification to the controller, sub-processor controls) under Article 28 and Article 32.
  • Joint controllers — must define respective responsibilities via a transparent arrangement (Article 26).
  • Non-EU organisations caught by Article 3(2) — must designate an EU representative (Article 27) unless an exemption applies.
  • Organisations whose core activities involve large-scale monitoring or large-scale special-category processing — must appoint a Data Protection Officer (Article 37).

Structure of GDPR: chapters, principles and control domains

The regulation comprises 99 articles grouped into 11 chapters, supported by 173 recitals that aid interpretation. For assessment purposes it is helpful to view GDPR as a set of control domains that map onto the chapters and the seven principles. The table below summarises the architecture an assessor navigates.

ChapterArticlesDomain / themeWhat it governs
I — General provisions1–4Scope and definitionsSubject matter, material and territorial scope, key definitions.
II — Principles5–11Data-protection principles and lawful basesThe seven principles, lawful bases, consent, children, special categories, criminal-conviction data.
III — Rights of the data subject12–23Data-subject rightsTransparency, access, rectification, erasure, restriction, portability, objection, automated decision-making, restrictions.
IV — Controller and processor24–43Accountability and governanceResponsibility, DPbDD, joint controllers, representatives, processors, records, security, DPIA, prior consultation, DPO, codes/certification.
V — Transfers to third countries44–50International data transfersAdequacy decisions, appropriate safeguards (SCCs, BCRs), derogations, international cooperation.
VI — Independent supervisory authorities51–59Supervisory authoritiesEstablishment, independence, competence, tasks and powers of SAs.
VII — Cooperation and consistency60–76One-stop-shop and EDPBLead authority, mutual assistance, consistency mechanism, the European Data Protection Board.
VIII — Remedies, liability, penalties77–84EnforcementComplaints, judicial remedies, compensation, administrative fines, penalties.
IX — Specific processing situations85–91Special contextsFreedom of expression, public access, national ID numbers, employment, research, churches.
X — Delegated and implementing acts92–93Rule-makingCommission's delegated and implementing powers.
XI — Final provisions94–99Transitional and finalRepeal of Directive 95/46/EC, relationship with other instruments, entry into force.

The seven data-protection principles (Article 5)

PrincipleRequirement in brief
Lawfulness, fairness and transparencyProcess lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitationCollect for specified, explicit and legitimate purposes; do not further process incompatibly.
Data minimisationAdequate, relevant and limited to what is necessary for the purposes.
AccuracyKeep accurate and up to date; erase or rectify inaccurate data without delay.
Storage limitationKeep in identifiable form no longer than necessary for the purposes.
Integrity and confidentialityEnsure appropriate security including protection against unauthorised/unlawful processing and accidental loss.
AccountabilityThe controller is responsible for, and must be able to demonstrate compliance with, all the above.

Master assessment checklist

This is the core of the guide. It enumerates every GDPR control domain that an auditor must examine, grouped by theme. For each group, the table sets out precisely what to verify and the typical evidence an assessor expects. Do not treat any group as optional — a defensible GDPR assessment must cover all of them.

1. Lawful basis and the principles (Articles 5–6)

What to verifyTypical evidence
Every processing activity is mapped to one of the six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests).Record of Processing Activities (RoPA) with lawful-basis column; lawful-basis assessment log.
Legitimate-interests processing is supported by a documented three-part balancing test (LIA).Legitimate Interests Assessments; DPO sign-off.
Processing is limited to specified, explicit and legitimate purposes with no incompatible further use.Purpose statements in RoPA; compatibility assessments for secondary use.
Data minimisation and storage limitation are enforced against each purpose.Data-flow diagrams; retention schedule; field-level necessity review.
Accuracy controls exist to keep data current and correct errors.Data-quality procedures; rectification workflow logs.

2. Consent (Article 7) and children's consent (Article 8)

What to verifyTypical evidence
Consent is freely given, specific, informed and unambiguous via a clear affirmative act (no pre-ticked boxes).Consent-capture UI screenshots; consent copy; audit of no bundled consent.
Consent records demonstrate who consented, when, to what and how.Consent management platform (CMP) logs with timestamps and versioned notices.
Withdrawal of consent is as easy as giving it, and is honoured.Preference centre; unsubscribe/withdrawal flow evidence; downstream suppression.
Where information services are offered to children, parental consent is verified below the applicable age (13–16 by member state).Age-gating logic; parental-verification records; member-state age configuration.

3. Special-category and criminal-conviction data (Articles 9–10)

What to verifyTypical evidence
Special-category processing meets an Article 9(2) condition (explicit consent, employment law, vital interests, etc.).Article 9 condition mapping; explicit-consent records; appropriate-policy document.
Criminal-conviction data is processed only under official authority or authorised law (Article 10).Legal-basis note; DPIA covering the processing.
Additional safeguards apply to health, genetic and biometric data.Enhanced access controls; encryption; DPIA for biometrics.

4. Transparency and privacy information (Articles 12–14)

What to verifyTypical evidence
Privacy notices contain all Article 13/14 mandatory content (identity, purposes, lawful basis, recipients, transfers, retention, rights).Layered privacy notice; content-completeness checklist.
Information is concise, transparent, intelligible and in clear language.Readability review; multi-language notices.
Information is provided at collection (Art. 13) and within one month where data is obtained indirectly (Art. 14).Notice-timing procedures; just-in-time notice screenshots.

5. Data-subject rights (Articles 15–22)

What to verifyTypical evidence
A documented procedure exists to handle all rights within one month (extendable by two).DSAR procedure; request-log with SLA tracking.
Right of access delivers a copy of data plus supplementary information (Art. 15).Fulfilled access packs; identity-verification records.
Rectification and erasure ('right to be forgotten') are actioned and propagated to recipients (Arts. 16–17, 19).Erasure workflow logs; downstream/third-party notification evidence.
Restriction and data portability (structured, machine-readable format) are supported (Arts. 18, 20).Portability export samples; restriction flags in systems.
Right to object, including to direct marketing, is honoured without exception for marketing (Art. 21).Objection handling logs; marketing suppression lists.
Solely automated decisions with legal/significant effect meet Article 22 safeguards (human intervention, contest, explanation).Automated-decision inventory; human-review process; logic-explanation notices.

6. Accountability and governance (Articles 24–25, 30)

What to verifyTypical evidence
The controller implements appropriate technical and organisational measures and can demonstrate them (Art. 24).Data protection policy suite; governance minutes; measures register.
Data protection by design and by default is embedded in projects and systems (Art. 25).DPbDD checklists; default-setting configurations; project gate records.
A Record of Processing Activities is maintained by controller and processor (Art. 30).RoPA covering purposes, categories, recipients, transfers, retention, security.

7. Joint controllers and representatives (Articles 26–27)

What to verifyTypical evidence
Joint-controller arrangements transparently allocate responsibilities and a point of contact.Signed joint-controller agreements; essence made available to data subjects.
Non-EU controllers/processors caught by Art. 3(2) have designated an EU representative in writing.Article 27 representative appointment; contact published in notices.

8. Processor management (Article 28)

What to verifyTypical evidence
Every processor is engaged under a written contract with all Article 28(3) mandatory clauses.Data Processing Agreements (DPAs); clause-completeness matrix.
Processors provide sufficient guarantees and are subject to due diligence.Vendor security assessments; SOC 2 / ISO 27001 certificates; audit rights.
Sub-processors are only engaged with authorisation and flow-down obligations.Sub-processor list; authorisation records; flow-down contract evidence.

9. Security of processing (Article 32)

What to verifyTypical evidence
Security measures are appropriate to risk, considering pseudonymisation, encryption, CIA and resilience.Risk assessment; encryption standards; access-control policy; ISMS documentation.
Ability to restore availability and access after an incident is tested.Backup and restore test reports; disaster-recovery plans.
A process regularly tests and evaluates effectiveness of measures.Penetration test reports; vulnerability scans; control-review cadence.

10. Personal data breaches (Articles 33–34)

What to verifyTypical evidence
Breaches are notified to the supervisory authority within 72 hours where risk to rights and freedoms exists.Breach register; SA notification records with timestamps; risk-assessment rationale.
High-risk breaches are communicated to affected data subjects without undue delay.Data-subject notification templates and dispatch logs.
Processors notify controllers without undue delay on becoming aware.Processor breach-notification clauses; incident-communication logs.
All breaches (notifiable or not) are documented internally.Internal breach log with facts, effects and remedial action.

11. Data Protection Impact Assessment and prior consultation (Articles 35–36)

What to verifyTypical evidence
High-risk processing triggers a DPIA (large-scale special category, systematic monitoring, new tech, profiling).DPIA register; completed DPIAs with risk treatment; SA blacklist mapping.
The DPO is consulted and risks are mitigated to acceptable levels.DPO advice records; residual-risk sign-off.
Prior consultation with the SA occurs where high residual risk remains.Prior-consultation correspondence; SA advice retained.

12. Data Protection Officer (Articles 37–39)

What to verifyTypical evidence
A DPO is appointed where mandatory and their contact is published and notified to the SA.DPO appointment letter; published contact; SA notification.
The DPO has expertise, independence, resources and reports to the highest management level.Role description; reporting line; no-conflict-of-interest attestation.
The DPO performs monitoring, advice, training, DPIA support and SA liaison.DPO activity reports; training records; audit involvement.

13. International transfers (Articles 44–50)

What to verifyTypical evidence
Transfers to third countries rely on adequacy, appropriate safeguards, or a valid derogation.Transfer register; adequacy-decision references; safeguard mechanism per flow.
Where no adequacy applies, SCCs or BCRs are in place with a Transfer Impact Assessment.Signed Standard Contractual Clauses; approved BCRs; TIA documentation.
Onward transfers and supplementary measures are addressed (post-Schrems II).Supplementary technical/organisational measures; encryption-in-transit evidence.

14. Codes of conduct, certification and cooperation (Articles 40–43, 60–76)

What to verifyTypical evidence
Adherence to any code of conduct or certification is genuine and monitored.Certification scope statements; monitoring-body reports.
The lead supervisory authority (one-stop-shop) is correctly identified for cross-border processing.Main-establishment analysis; lead-SA determination note.

15. Enforcement readiness (Articles 77–84)

What to verifyTypical evidence
Complaint-handling and data-subject remedy routes are documented and staffed.Complaints procedure; SA liaison contact; response-time metrics.
The organisation understands its fine exposure and has liability/insurance arrangements considered.Risk register entry; cyber/liability insurance policy; board briefing.

Scoping a GDPR assessment

Scoping determines the boundary of the assessment and prevents both under-coverage (regulatory exposure) and over-coverage (wasted effort). A rigorous GDPR scope answers: which entities, which processing activities, which data categories, which systems and which geographies fall within the regulation, and in what role the organisation acts.

  1. Confirm territorial applicability against Article 3 (establishment, offering, monitoring) for each business line.
  2. Determine the organisation's role per processing activity — controller, joint controller or processor — as this drives obligations.
  3. Inventory all processing activities and build or refresh the Record of Processing Activities as the scoping backbone.
  4. Classify data categories, flagging special-category and criminal-conviction data for heightened treatment.
  5. Map data flows end-to-end, including sub-processors and international transfers, to reveal hidden scope.
  6. Identify the lead supervisory authority and main establishment for cross-border processing.
  7. Define the systems, applications and physical locations in scope, plus third parties and cloud services.
  8. Document exclusions and their justification (e.g. household exemption, purely non-EU activity) for auditability.
Scoping pitfall
The most common scoping error is treating GDPR as an IT project confined to customer databases. In reality it captures HR/employee data, marketing lists, CCTV, vendor contacts, website analytics and shadow-IT spreadsheets. Build the RoPA from business-process interviews, not just system inventories, or you will miss processing that carries real exposure.

Implementation approach: a phased programme

GDPR conformity is best delivered as a structured programme rather than a one-off remediation. The following five-phase approach sequences activities from discovery to sustained operation, with clear deliverables at each gate.

Phase 1 — Discovery and data mapping

  • Activities: stakeholder interviews, data-flow mapping, system inventory, role determination, initial applicability analysis.
  • Deliverables: Record of Processing Activities, data-flow diagrams, data-inventory catalogue, applicability memo.

Phase 2 — Gap assessment

  • Activities: assess each control domain against the master checklist, review policies, contracts, notices and security measures, rate maturity.
  • Deliverables: gap-analysis report, risk register, prioritised remediation roadmap, maturity baseline.

Phase 3 — Remediation and design

  • Activities: draft/refresh policies and privacy notices, implement consent and rights workflows, remediate DPAs and transfer mechanisms, embed DPbDD, deploy security controls.
  • Deliverables: policy suite, DSAR procedure, DPA templates, SCC/TIA package, DPbDD gate, updated notices.

Phase 4 — Operationalisation

  • Activities: appoint/confirm DPO, roll out training and awareness, stand up breach-response and DPIA processes, implement retention automation.
  • Deliverables: DPO appointment, training records, breach-response playbook, DPIA methodology, retention schedule live.

Phase 5 — Monitoring, audit and continuous improvement

  • Activities: internal audits, KPI reporting, vendor re-assessments, management review, horizon-scanning for EDPB guidance and case law.
  • Deliverables: audit reports, KPI dashboard, management-review minutes, updated risk register, improvement backlog.

Maturity and capability model

GDPR does not prescribe a maturity model, but a capability model is invaluable for benchmarking progress and communicating with the board. The five-level model below is aligned to common privacy-maturity frameworks and lets an assessor score each control domain consistently.

LevelNameDescriptionTypical characteristics
0Non-existentNo awareness or activity; processing occurs without controls.No RoPA, no notices, no lawful-basis analysis; ad hoc breach handling.
1Initial / ad hocSome awareness; controls exist informally and inconsistently.Draft policies, isolated efforts, reliance on individuals.
2RepeatableBasic processes defined but not fully documented or enforced.RoPA started, notices in place, DSAR handled reactively.
3DefinedDocumented, standardised processes across the organisation.Full RoPA, DPA templates, DPIA methodology, trained staff.
4ManagedProcesses are measured, monitored and controlled with metrics.KPI dashboards, internal audit, vendor cadence, DPbDD gates.
5OptimisedContinuous improvement driven by measurement and lessons learned.Automated retention/consent, proactive DPIA, near-real-time breach detection.

Assessment and audit approach

A defensible GDPR audit follows a repeatable methodology so that findings are evidence-based, consistent and reproducible. The following steps describe how CyberSigma conducts a GDPR assessment engagement.

  1. Define objectives, scope and success criteria with the sponsor; confirm role, entities and geographies in scope.
  2. Assemble and review documentation: RoPA, policies, notices, DPAs, DPIAs, breach log, training records, transfer mechanisms.
  3. Conduct stakeholder interviews across legal, security, HR, marketing, IT and product to validate documented practice.
  4. Walk through data flows and test controls end-to-end, including a sample DSAR and a tabletop breach exercise.
  5. Assess each master-checklist domain, scoring maturity and identifying gaps against the regulation and EDPB guidance.
  6. Perform targeted technical validation: access controls, encryption, retention enforcement, cookie/consent behaviour, transfer safeguards.
  7. Rate risks by likelihood and impact, considering data volume, sensitivity and number of data subjects affected.
  8. Produce a findings report with prioritised, actionable remediation and a maturity baseline.
  9. Present to management, agree remediation ownership and timelines, and schedule re-assessment.

Evidence request list

The following categorised evidence list is what an assessor typically requests at the outset of a GDPR engagement. Providing it upfront accelerates the assessment and demonstrates accountability.

  • Governance: data protection policy suite, DPO appointment and job description, governance/steering committee minutes, accountability framework.
  • Processing records: Record of Processing Activities (controller and processor), data-flow diagrams, data inventory/classification.
  • Lawful basis and consent: lawful-basis register, Legitimate Interests Assessments, consent-capture screenshots and CMP logs, withdrawal flows.
  • Transparency: layered privacy notices, cookie policy, just-in-time notices, employee/HR privacy notice.
  • Data-subject rights: DSAR procedure, request log with SLA tracking, sample fulfilled requests, identity-verification approach.
  • Third parties: Data Processing Agreements, sub-processor list, vendor security assessments, audit rights evidence.
  • International transfers: transfer register, Standard Contractual Clauses, BCRs, Transfer Impact Assessments, supplementary measures.
  • Security: risk assessments, ISMS/ISO 27001 documentation, encryption standards, access-control policy, penetration-test reports, backup/restore tests.
  • Breach management: breach register, breach-response playbook, SA and data-subject notification templates and records.
  • Impact assessments: DPIA register, completed DPIAs, DPIA methodology, prior-consultation correspondence.
  • Training and awareness: training materials, completion records, phishing/awareness campaign results.
  • Retention: retention schedule, deletion/anonymisation logs, storage-limitation enforcement evidence.

Roles and responsibilities

RoleGDPR responsibilities
Board / senior managementOwn accountability, allocate resources, approve the privacy programme, receive risk reporting.
Data Protection Officer (DPO)Monitor compliance, advise on DPIAs, train staff, act as SA and data-subject contact, report to top management.
Controller (business owners)Determine purposes and means, ensure lawful basis, fulfil transparency and rights, embed DPbDD.
Processor / vendor managersProcess only on instruction, meet Article 28/32 duties, manage sub-processors, notify breaches.
CISO / security teamImplement and test Article 32 security measures, manage incidents, support DPIAs.
Legal / privacy counselInterpret obligations, draft DPAs and SCCs, manage regulatory correspondence and litigation risk.
HRManage employee-data processing, retention and transparency; handle worker rights requests.
MarketingEnsure lawful marketing, consent/objection handling, cookie compliance, suppression lists.
IT / engineeringBuild DPbDD into systems, enforce retention and access controls, enable portability and erasure.
EU representative (Art. 27)Act as local contact point for SAs and data subjects for non-EU organisations.

KPIs to track

  • Percentage of processing activities recorded in the RoPA with a valid lawful basis.
  • Data-subject requests received, and percentage fulfilled within the statutory one-month deadline.
  • Number of personal data breaches, and percentage notified to the SA within 72 hours where required.
  • Number of DPIAs completed for high-risk processing versus triggers identified.
  • Percentage of processors under a compliant DPA, and vendor re-assessment coverage.
  • Percentage of international data flows covered by a valid transfer mechanism and current TIA.
  • Staff training completion rate and time-to-completion for new joiners.
  • Consent withdrawal and marketing-objection processing time and success rate.
  • Percentage of systems meeting retention-schedule enforcement.
  • Open privacy findings by risk rating and mean time to remediation.
  • Number of complaints to the organisation and to supervisory authorities.
  • Privacy-programme maturity score per control domain over time.

Readiness checklist

  • Territorial applicability and organisational role confirmed for every processing activity.
  • Record of Processing Activities complete, current and covers controller and processor roles.
  • Every processing activity has a documented lawful basis (with LIAs where relevant).
  • Privacy notices contain all Article 13/14 content and are provided at the right time.
  • Consent is captured with clear affirmative action and withdrawal is honoured.
  • Special-category and criminal-conviction data meet Article 9/10 conditions.
  • A documented DSAR procedure fulfils all rights within one month.
  • Data protection by design and by default is embedded in projects.
  • All processors are engaged under compliant Article 28 DPAs with sub-processor controls.
  • Article 32 security measures are implemented, tested and appropriate to risk.
  • A breach-response plan meets the 72-hour SA notification clock and covers subject communication.
  • DPIAs are performed for high-risk processing with DPO involvement.
  • A DPO is appointed where required, independent, resourced and published.
  • International transfers rely on adequacy, SCCs/BCRs and a Transfer Impact Assessment.
  • An EU representative is designated where Article 27 applies.
  • Retention schedules are enforced and data is deleted/anonymised when no longer needed.
  • Staff training and awareness are current and evidenced.
  • Internal audit, KPI reporting and management review are operating.

Common gaps

  • Incomplete or stale RoPA that misses HR, marketing, CCTV and shadow-IT processing.
  • Reliance on consent where another lawful basis is more appropriate, or invalid pre-ticked/bundled consent.
  • Missing or generic Legitimate Interests Assessments that lack a genuine balancing test.
  • Privacy notices omitting retention periods, transfer details or the lawful basis.
  • DSAR processes that exceed the one-month deadline or fail to propagate erasure to third parties.
  • Vendor contracts lacking full Article 28(3) clauses or unmanaged sub-processors.
  • International transfers without SCCs, BCRs or a post-Schrems II Transfer Impact Assessment.
  • Breach processes that cannot demonstrably meet the 72-hour notification window.
  • High-risk processing (profiling, biometrics, monitoring) launched without a DPIA.
  • No enforced retention schedule, leading to indefinite storage in breach of storage limitation.
  • Cookies and web trackers deployed before consent, contrary to ePrivacy and GDPR consent standards.
  • Automated decision-making lacking Article 22 safeguards (human intervention, explanation, contest).

GDPR mapped to other frameworks

GDPR obligations overlap substantially with other privacy and security frameworks. Mapping controls lets organisations reuse evidence and avoid duplicated effort across audits. The table below indicates representative alignments — not one-to-one equivalences.

GDPR areaISO/IEC 27701 (PIMS)ISO/IEC 27001NIST Privacy FrameworkIndia DPDP Act 2023Other
Accountability / governance5.2 leadership; 7.2 PII controller controlsClause 5 leadership; A.5 policiesGOVERN functionData Fiduciary obligations (Sec. 8)SOC 2 CC1
Lawful basis / consent7.2.2 identify lawful basis; 7.3.2 consentCONTROL-PConsent and notice (Sec. 5–7)CCPA/CPRA notice
Data-subject rights7.3 obligations to PII principalsCONTROL-P; COMMUNICATE-PRights of Data Principal (Sec. 11–14)CCPA consumer rights
Security of processing6.x information security controlsA.8 technological; A.5 organisationalPROTECT-PReasonable security safeguards (Sec. 8(5))SOC 2 CC6; PCI DSS
Breach notification6.13 incident managementA.5.24–A.5.28 incident managementPROTECT-P; RESPONDBreach notification to Board and PrincipalNIS2; SOC 2 CC7
DPIA / risk7.2.5 assess privacy riskClause 6 risk; A.5.35 reviewIDENTIFY-P; risk assessmentNIST 800-30
International transfers7.5 PII transfersCross-border transfer rules (Sec. 16)APEC CBPR
Processor management8.x PII processor controls; 7.2.6A.5.19–A.5.23 supplierData Processor obligationsSOC 2 CC9
How CyberSigma helps
CyberSigma delivers end-to-end GDPR readiness: applicability and role analysis, RoPA build and data mapping, gap assessment against the full master checklist, and prioritised remediation. Our CERT-In empanelled and QSA-qualified assessors draft policies and privacy notices, engineer consent and data-subject-rights workflows, remediate DPAs and international-transfer mechanisms (SCCs, BCRs and Transfer Impact Assessments), operationalise DPIAs and 72-hour breach response, and provide fractional DPO services. We align GDPR evidence with ISO 27701, ISO 27001, SOC 2 and India's DPDP Act so you audit once and satisfy many. Talk to CyberSigma to move from ad hoc compliance to a measured, board-ready privacy programme.
Free 1-minute check
DPDP Readiness Checker
Check your readiness for India’s DPDP Act and see your priority gaps — free.
Try it free →

Frequently asked questions

Does GDPR apply to companies outside the EU?
Yes. If you offer goods/services to, or monitor, individuals in the EU/EEA, GDPR applies regardless of your location.
GDPR vs India’s DPDP Act — how do they compare?
Both are consent- and rights-based privacy laws with similar principles. DPDP is India-specific with its own penalty structure; a GDPR programme gives you a strong head start on DPDP.
Related reading

Need help with GDPR?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.