GDPR in a Nutshell

GDPR Impact

  • Data subject rights enhanced and extended globally
  • Broadened scope of personal data
  • Increased corporate responsibility
  • Increased fines for non-compliance

The Three Pillars of GDPR Compliance
Data subject rights

  • Data subject informed consent
  • The right of data subject to access data
  • The right of data subject to correct data
  • The right to of data subject to withdraw consent and remove data
  • A defensible and secure data removal process
  • The right of data subject to transfer data (data portability)

Data subject protection

  • Limit collection
  • Limit processing
  • Limit data access
  • Complete audit trail and record
  • Ongoing data protection risk assessment and compliance

Breach response

  • Immediate investigation re data exposed, categories and consequences
  • Mitigation of adverse impact to data
  • Breach response plan
  • Notification of authorities (DPA)
  • Notification of data subjects

Key Questions To Ask

  • Do you need a data protection officer (see below)
  • Do you have a data map of your organization
  • How is protected data removed and is the removal properly documented with an audit trail
  • Have you properly notified and documented data subjects of personal profiling and their rights including the right to withdraw consent
  • Does your technology , data management practices, and record keeping, comply with GDPR requirements
  • Do you have a incidence response plan and team in place to respond to breaches that may expose sensitive data including GDPR notification protocols
  • Does your c-suite have proper visibility and knowledge of corporate security protocols?

Do You Need to Appoint a Data Protection Officer?
If your business is based in the EU or does business there; and, you can answer “yes” to any of the three questions below, you may need to appoint a DPO.

  1. EU member state requires appointment of DPOs.
  2. Do your core activities consist of processing of personal data which requires regular and systematic monitoring of individuals or employees and/or offer goods and services in the EU?
  3. Do your core activities consist of processing of personal data which is about special categories of data (3) (Article 9(1) of the EU GDPR) on a large scale or about criminal convictions and offenses?


This material is for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. The opinions expressed are the opinions of the individual author and may not reflect the opinions of the company.