10 GDPR requirements you need to get your head around

Published on:
June 8, 2022
|
Reading time:
5 min.
WRITTEN BY
Emil Galletta Rene
Assistant attorney
TABLE OF CONTENTS

Want to know more about GDPR requirements?

Find everything you need in "The Little Guide to GDPR" - a straightforward breakdown of key obligations.

All entities (business or organization) are obligated to comply with the General Data Protection Regulation – also known as GDPR. This means that entities that process personal data must comply with the rules applicable to the protection and processing of such data.

Below, we guide you through the 10 rules that you must understand to ensure compliance with the GDPR.

1. Lawful basis for processing

To process personal data, you must have a lawful basis.

This means that you only are allowed to carry out the processing if you have a lawful basis.

In the General Data Protection Regulation (GDPR), Article 6, there are six lawful bases for processing personal data, for example, consent, the performance of the contract, and legitimate interest.

You must always be able to document that the processing of personal data is conducted lawfully, fairly, and in a transparent manner in relation to the data subject.

2. Records

GDPR, Article 30, requires that both the controller and the processor must keep a record of all processing activities shall be maintained.


A record is an overview of all the processing activities of personal data taking place in your organization.

Both the controller and the processor must keep a record of the processing activities.

Having a record makes you able to document that a given processing activity complies with the GDPR.


The requirement to maintain a record is two-fold:

  1. To contribute to the overall documentation of compliance with the data protection rules.
  2. To ensure that the controller has and maintains the required overview.

3. Privacy policies

GDPR, Articles 13 and 14, provide that all processing of personal data must be lawful, fair, and transparent.

A controller is therefore obliged to inform individuals when their data is processed.


To comply with this duty of disclosure, the organization may draft privacy policies.

This policy must address each specific group of data subjects and the particular processing taking place. The personal data policy should be easily accessible to the data subjects and in an easy-to-understand, clear, and plain language.

Since many organizations process a wide variety of personal data about different groups of data subjects you might need to prepare several different privacy policies each depending on the target group.

4. Internal procedures

It is important that the organization has described the procedures which must be followed by its employees when personal data is processed.

The purpose of clear and well-defined internal procedures with respect to the processing of personal data is to ensure that the organization meets the legal requirements and is able to handle the processing in an efficient and standardized manner thus significantly reducing errors and manhours.

You also have an obligation to communicate the internal procedure to your employees and ensure that the employees have proper training.

5. Controllers and processors

GDPR, Article 4 distinguishes between the roles of controllers and processors.

A processor is a natural or legal person, public authority, etc., that processes personal data on behalf of and on the instruction of the controller.

The controller must have an overview of all its processors and must conclude legally valid data processing agreements with processors that process personal data on its behalf.

6. Monitoring processors

The controller must continuously oversee its processors ensuring compliance with the data processing agreement and legal requirements.

The requirements for monitoring get stricter as the processor processes a greater volume of personal data when 1) the personal data are more confidential and sensitive, and 2) the processing becomes more intrusive to the data subjects.

As the risks increase, the requirements for monitoring will increase correspondingly.

7. Ongoing self-monitoring and internal awareness

An organization’s “self-monitoring”, when it relates to its processing of personal data, includes collecting and maintaining information about the processing activities, analysis, and control of compliance with the GDPR, as well as informing, advising, and making recommendations for use internally in the organization.

The purpose of self-monitoring is to document the organization’s compliance with the GDPR.

Since it is the employees in the organization who on a daily basis process the personal data, it is crucial that there they are aware of how and when personal data may and should be processed in order to ensure compliance with the GDPR and other applicable legal requirements.

8. IT security

By taking into account the basic principles of the GDPR when developing new or modifying existing IT systems, it will be easier for your organization to comply with the GDPR. Incorporating data protection into IT systems is called “data protection by design” and follows directly from the GDPR.

When processing personal data, appropriate technical and organizational measures must be taken to meet the requirements of the GDPR. The necessary measures should be based on the nature of the data, the volume of data, the purpose of the processing, and the risks that the processing may entail for the rights and freedoms of the data subjects.

9. Risk assessments

An advantage of using a risk-based approach is that the controller can choose the necessary security measures which are relevant to the risks posed.

The purpose of conducting risk assessments is to assess the current and relevant risks and to ensure that the implemented security measures actually reflect the risks. A risk-based approach optimizes the consumption of resources while at the same time establishing a common thread in the security and documentation work.

The main subject matter of the GDPR’s risk assessments is the rights and freedoms of the data subjects. An assessment must therefore be made regarding the risks to customers, employees, and other business partners when the organization processes personal data in the role of controller.

A risk assessment includes an impact assessment, a threat assessment, a vulnerability assessment, and a risk picture, and shall be prepared when relevant and as needed.

10. The rights of data subjects

The data subject’s rights are enshrined in several provisions in the GDPR, and include, among other things, the right of access and the right to erasure.

As a rule, it is the controller who must observe and handle requests by data subjects when they invoke their rights. A processor cannot be given independent responsibility for observing the rights but can observe the rights on behalf of the controller.

Want to know more about GDPR requirements?

Find everything you need in "The Little Guide to GDPR" - a straightforward breakdown of key obligations.

Download the guide
Published:
June 8, 2022
Category:
GDPR