What is GDPR and what do you need for GDPR compliance?

Our privacy professionals created GDPR Longread to explain in one article all important rules. Especially we took attention to topics, which are making a lot of employees confused. 

Now let’s start to study GDPR step by step.


What is GDPR?

Have you ever wondered where fingerprints or face shots are stored to unlock your smartphone? Or why, when placing an order in an online store, you are asked to indicate your date of birth, which seems to be superfluous information for a purchase? Can anyone access your health record at the clinic? How companies find your phone number to contact you and tell you about an exhibition or sale? And what do social networks know about their users?

Every day we share with others what is commonly called personal data. For example, when dating or communicating, when looking for a job or making an appointment with a doctor, ordering goods or paying for services. And all that without even thinking about what will happen with these data further.

So why do we need GDPR? With the advent and development of technology, people have become more generous with personal data, because in return they get convenience and comfort. We are so used to it that we cannot imagine our world in any other way. However, does this mean that it is safer to live now? Not at all. Any piece of information can very well be used against ourselves. And, alas, we, the data subjects, have lost control over our data in the new digital reality.




In the European Union they have taken up this issue seriously. And, as a result, on April 27, 2016, the General Data Protection Regulation was adopted. The new law came into force only two years later (May 25, 2018), so that businesses had enough time to get prepared. The GDPR rules have fundamentally changed the previous legal framework of privacy protection in Europe, which was almost two decades old. And of course, it raised a lot of questions: what should we do? who should we contact? how dangerous is non-compliance?

What is personal data?

In all matters related to the implementation of the Regulation, the concept of "personal data" plays an important role, because the GDPR only applies where personal data exist. Let's examine the definition in more detail.

Under the GDPR, personal data is any information relating to an identified or identifiable natural person ("data subject", i.e. a person).

An identified individual is a person whose identifier (name, phone number, personal ID, login, etc.) is contained among the data.

Accordingly, an identifiable individual is a person who can be identified, that is, who can be distinguished from other people.

Personal data is not only the identifier itself but also the information that relates to a person. And there are certain nuances as well.

Without an identifier, the information becomes anonymous. Relating information and an incomplete identifier will constitute personal data only in cases where it is possible to conduct additional "investigation" without using special devices and without excessive time and effort.

That is, if we do not have a reasonable opportunity to identify the data subject, then such information is not personal, but anonymous.



For example, personal data includes information describing the data subject - Ivan Kupala is 38 years old and a lawyer. In this case, personal information is not only the person's name but also his profession and age.

If we don't know the full name, but we know that someone named Ivan in our city is 38 years old, that information will be anonymous to us.

However, if we are told that someone named Ivan is 38 years old, lives in our city, and works at a small law firm called "Kupala & Associates Law Office", we will be able to easily identify the person. This information would be classified as personal data.



In simple terms, name, passport number, ID card, username, nickname, email address, phone number, IP address, bank card details are always personal data because they are identifiers. A vehicle number, handwriting, video, or photo are likely to constitute personal data because they make it easy to identify a person. Whereas address, marital status, sex, gender, e-wallet details, health data, page views, search queries, social media posts are personal data provided it is known to whom exactly they relate.

It is important to note that the definition of personal data is gradually changing. Previously, before the era of computers and cell phones, for data to be considered personal data, it was sufficient that a person could hypothetically be identified by anyone on Earth using that data. Now, this criterion is narrowed down only to the circle of people who can potentially gain access to this data and use it for identification purposes.

Based on all of the above, our privacy expert Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP, created his original formula for personal data.

What rights did people get thanks to the GDPR?

First of all, the new regulation was adopted due to the technological progress as people are under risk to lose their right to privacy. We already told about what privacy is and how it dissipates in the modern world. Now let's talk about the rights that we, as data subjects, can exercise under the GDPR.


Right to access (Article 15 GDPR)

Each person has the right to receive their personal data or get access to them. This right extends not only on the information that data subject provided by theirselves, but also on the information that a company (data controller) has collected about them. Here you can find more details about the roles of the controller and the processor. The data subject may not even suspect that such collection has taken place, and this right enables the data subject to find out about:

  • what purposes their personal data is used for;
  • to whom and to which countries data are transferred (here is more about cross-border data transfers);
  • how long data are stored;
  • where data were obtained from (data sources);
  • information about important decisions for the data subject, which are made automatically;
  • whether they have the right to delete or rectify the data, or to “freeze” it (restriction of processing), as well as to lodge a complaint with a supervisory authority.

How shall a company provide the data subject with the information? The company must provide personal data in any form in which a person requests it:  it can be an email or a paper document. Alternatively, the company can give a person access to their data, for example, in their personal account. According to the rules of the Regulation, data are provided free of charge. Only in exceptional cases the company is entitled to claim the data subject for fee. For example, the company might charge a fee for making additional copies or for providing an overly large amount of information.


Right to rectification (Article 16 GDPR)

A data subject has the right to obtain the rectification of inaccurate personal data which are processed by the company. This can happen if the data subject changes their passport/id card, surname or place of residence, or there is a mistake in their personal data. This right is important for the data subject when accurate and complete information is required for processing.

Right to erasure (‘right to be forgotten’) (Article 17 GDPR)

In other words this is the right to be forgotten. The data subject has the right to obtain from the controller the erasure of personal data concerning him or her. But that’s not that simple. There are only few grounds in GDPR  when this right is to be exercised:

  • If the personal data are no longer necessary in relation to the purposes for which they were originally collected.  Indeed, according to the principle of storage limitation, the data should have been deleted anyway.
  • If the person withdraws their consent to the processing (when the legal basis for the processing is consent).
  • If the personal data have been unlawfully processed. In this case the controller should thank the data subject for contacting the company and not complaining to the supervisory authority.
  • If the personal data belong to a child and were collected by the online service with child’s consent (Article 8 (1)).

Let's take a closer look at the last point. Article 8 of the Regulation deals with the processing of personal data of children. The child's consent is valid only if: 1) the child is at least 16 years old or 2) in addition to it, the consent / permission of the parent has been obtained. The fact is that children do not always understand what their actions on the Internet can result. Therefore, when you receive a request to erase such data, you need to do it immediately.



For example, 22-year-old Maria noticed that 8 years ago she registered on various gaming sites that collected and processed her personal data. Parents confirmed her consent to participate in various promotions and sweepstakes on these sites. And now when the GDPR is in effect, Maria can obtain the erasure of all information about her participation in promotions and sweepstakes, which was collected when she was still a child.



The right to be forgotten is not an absolute one. For instance, it is balanced by the freedom of speech and press and the necessity of processing for archiving purposes in the public interest, scientific and historical research.


Right to restriction of processing (Article 18 GDPR)

Article 18 of GDPR provides a data subject with the right to obtain the restriction of processing where one of the following applies:

  • the accuracy of the personal data is contested;
  • the processing is unlawful and the data subject opposes the erasure of the personal data;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or  defence of legal claims;
  • the data subject has objected to processing pending the verification whether  the legitimate grounds of the controller override those of the data subject (as soon as the decision to resume or terminate processing is made, the data subject must be informed).

“Restriction of processing” can be understood as “freezing of processing”. The data is still stored but not used in any way.

We also discussed what the right to access, the right to rectification, the right to erasure and the right to restriction of processing are here.

Right to data portability (Article 20 GDPR)

The data subject has the right to receive the personal data concerning him or her in a machine-readable format if it is technically possible. At first glance, it does differ from the right to access, but here we are talking about files that another controller can import into their system. There are two ground for this right to be exercised:

firstly, if the processing is based on consent or contract;

secondly, the processing is carried out by automated means.

To avoid data breaches, a machine-readable file can be transmitted from one controller to another directly, without intermediaries. For example, the social network Vkontakte will transmit all your photo albums to Facebook per one click. Meanwhile it is quite difficult to implement such a mechanism from both the technical and financial points of views. Google, Facebook, Microsoft, Twitter and Apple are currently working on the Data Transfer Project, an open source initiative to develop tools to transmit data directly.

We hope that in the future all companies will be able to carry out such transmissions following all the necessary security measures.


Right to object (Article 21 GDPR)

The data subject has the right to object to processing of personal data concerning him or her. However, this right can only be exercised if the processing is based on a legitimate or public interest.

The controller is obliged to consider the objection, analyze the situation and make a decision whether this processing is important to the company or the public and the interests of the person prevail in this particular case.

NB! If the subject objects to processing for direct marketing purposes, the processing should be stopped immediately.


Right to not to be subject to a decision based solely on automated processing (Article 22 GDPR)

In the modern world due to the rapid development of information technologies decisions are made not only by a person, but by automated means. The GDPR provides data subjects with the right to object to decisions made by a computer without a human being, since the algorithm could be erroneous or biased.

However, this right does not apply if:

  • the decision is necessary for the entering into or performance of a contract;
  • the decision is based on the data subject’s explicit consent.


Right to lodge a complaint with a supervisory authority (Article 77 GDPR)

The data subject has the right to lodge a complaint with a supervisory authority in the his or her habitual residence, place of work or place of the infringement (i.e. controller’s place). E.g. a data subject who lives and works in Moscow has the right to lodge a complaint with the supervisory authority in Paris if his or her rights were infringed by a French company. The supervisory authority shall consider the complaint and inform the complainant on the progress and the outcome of the complaint. If the data subject is not satisfied by the outcome of the complaint he or she has the right to judicial remedy (Article 78 GDPR).


Right to compensation (Article 82 GDPR)

In the case of the infringement of the GDPR, the controller (or processor) shall not only pay a fine, but also to provide the data subject with compensation for any damage caused by processing. More information about the right to portability, the right not to be subject to automated decision-making, the right to lodge a complaint with a supervisory authority and the right to compensation can be found here.

All of the above confirms the relevance and importance of the Regulation. Today the Internet has become an essential part of the life of almost every person, our personal data are far from to be safe. Therefore, it is very important for everyone to be aware of the rights that they have according to the GDPR. In order to avoid problems with customers and supervisory authorities, companies shall inform users about their rights. This is required by Articles 13 and 14 of the GDPR. Typically, compliance with this obligation involves the publication of a Privacy Policy / Notice. We have developed the complete GDPR checklist for such policies / notifications.

You can find more details about the right to data portability, objection, compensation and the possibility to lodge a complaint with a supervisory authority here.

Data processing principles

Directive 96/46/EC, the predecessor of the Regulation, changed European legislation on the protection of personal data considerably. However, the GDPR spelled out these rules in more detail. This also applies to the six basic principles for processing of personal information in the most important article of the law, article 5 of the GDPR. We propose to go into them deeper.


1) Principle of lawfulness, fairness and transparency

Personal data can only be obtained by lawful means. There are only six lawful bases (Article 6 GDPR):

- vital interests;

- contract;

- legal obligation;

- public interest;

- legitimate interest;

- consent.

Before you collect data, you need to find one lawful basis (legal ground) in this list that fits your situation. If nothing fits, the processing will be illegal and you will infringe the Regulation. Fines for unlawful processing of personal data are widely applied and they are quite high.

Also, this principle requires that the data of various people be processed without discrimination or deception, that is, fairly. So there is an infringement when you use phone model information to charge higher prices to their owners.

Transparent processing means that people have access to information about the purpose, timing, and scope of the processing in as clear and simple way as possible. It is important that people who do not have specific knowledge of GDPR can understand what is being talked about. Subjects should not have any further questions on why and on what basis their data is being processed.


2) The principle of purpose limitation

For any processing, the company shall indicate a specific purpose and then strictly adhere to that purpose without going beyond it. For example, if you request a customer's address to deliver a product to him, you may not send Christmas greetings to that address, because that's a different purpose that you didn't define.


3) The principle of data minimization

It follows from the previous principle that every processing must have a specific purpose and the company must not go beyond that purpose. The data minimization principle, on the other hand, states that companies cannot collect unnecessary customer data. Unnecessary data are those without which the purpose still can be achieved. I.e. the companies are not allowed to process data which are not needed to meet the defined purpose. If you request the information to deliver a product to a customer, an address and phone number for prompt communication is enough, but the date of birth would be unnecessary for your purpose.


4) The principle of accuracy

Personal data must be accurate and up-to-date to the extent that it accomplishes the stated purpose. Following the Regulation, the company must take all necessary steps to update or delete incorrect information. For example, if a regular customer changes his or her address, we must correct it in our system so that the customer receives his or her package.


5) The principle of storage limitation

Once all defined purposes have been met, the information should be erased. The storage limitation principle means that personal data cannot be used for longer than it is needed to fulfill the purpose of processing. For example, if someone ordered a pizza from your restaurant one time, you should no longer have that address in your system the next day, because the pizza was delivered (purpose achieved).


6) The principle of integrity and confidentiality

Personal data have always been a threat to its subjects. But in the era of information society, the amount of data and the level of threats have increased, and therefore the Regulation obliges to protect personal data from unauthorized or accidental access, damage or destruction. It is especially important in the 21st century to build a system of information security that would prevent data breaches.

For example, when delivering medicines at home, we must hide from the recipient the names of other buyers on the list, say, by simply covering them with a piece of paper when the person signs for delivery.


7) The principle of accountability

Under the Article 5(2) of the GDPR, we are required at all times to be able to demonstrate that we have complied with all of the above principles. Moreover, failure to prove compliance is tantamount to non-compliance (presumption of guilt).

For example, if we are unable, through internal documentation or a demonstration of software functionality, to prove that our system erases the addresses to which pizzas were delivered, then we have infringed the principle of accountability. A supervisory authority can issue us a fine without having to delve into investigating whether or not we are actually storing data longer than necessary.

We hope you now have an idea of all the data processing principles of GDPR. However, this is only the first step. The regulation is not just a set of rules that you can learn and universally apply. There are a lot of exceptions, so if necessary, don't be afraid to turn to professionals who can help you build the right path to a properly aligned GDPR data protection system.

Territorial scope of the GDPR

Any company whose business activities are somehow related to the European Union should consider GDPR compliance. You don't even have to have offices in EU countries to be subject to the Regulation.

Now let's explain how you can determine whether your company needs to be GDPR compliant regarding to a particular business process.

Yes, you heard it right. GDPR doesn't apply to companies, but to particular business processes ("processing") using personal data. For some companies, all processing will be subject to GDPR, but for others, only some processes. Let's find out which ones.

First, ask yourself the question, "Is there personal data used in this process?" Is the answer positive? Then there are five more steps ahead. However, in some cases, you only need one "yes" for the GDPR rules to apply to the relevant process in your company.


Step 1: Does your company have organizational units within the EU?

Before answering this question, we need to understand the concept of ‘establishment’. According to the recital 22, an establishment does not have to be a legal entity. It can be not only a branch or representative office, but also an office, a remote workplace, or even a single employee. If your company has any of the above in any of the EU countries, and that establishment is processing data, then the GDPR is mandatory for that processing.

Let's explain using the Weltimmo legal precedent. There is a company registered in Slovakia, which operates also in Hungary, where it has a mailbox, a bank account and a representative. The question came up as to whether the law of which country - Slovakia or Hungary - applies to the activities of the company through the representative in Hungary in this case. After a hearing, the European Court of Justice (CJEU) decided that Hungarian law was applicable. The reasoning was that the organization has a representative in Hungary, even if not registered as a branch, sends and receives letters at a Hungarian address, uses a bank account with a local bank, and therefore carries out regular work in Hungary.

The GDPR also applies to non-EU processing in the context of the activities of that entity, i.e. processes in your non-European company (subsidiary or parent) that are closely related to the activities of the European entity. For example, in the case of González v. Google Spain" the Court recognized that the search indexing as a processing of personal data which was carried out in the United States is in the context of the activities of the Spanish entity Google Spain, and therefore must comply with European rules.

If you answered ‘yes’ to this Step, then the GDPR applies to your processing of personal data and you do not need to go through the rest of the Steps of the scheme. You can now run the following processing through the schema.


Step 2: Is the data subject in the EU?

It's not about citizenship. It's about where the data subjects are located. If you're working with personal data from people in the EU, go to Step 3. If your subjects are outside the EU, you need to comply with the national laws of the country where the processing takes place (e.g. 152-FZ in Russia).

So, if you have a Spanish citizen working in your office in Moscow, the GDPR does not apply to the processing of his or her information. You don’t need to go through other steps of the scheme.

If one of the data subjects is physically located in the EU, then go to Step 3.


Step 3: Is your processing related to the offer of goods and services to EU entities?

You are currently in this step of the scheme if your company, which does not have any establishment in the EU, sells goods or provides services to Europeans, e.g., via the Internet. In this case, it doesn’t matter whether you charge your customers or not. For example, the free version of the mobile app that you downloaded is also a service.

Since the Regulation applies to the particular processing, you need to analyze a separate process. The processes can be different, for example:

- Recruiting employees for the Moscow office,

- password recovery from an online service,

- retargeting/ remarketing of visitors who have visited your site;

- evaluation questionnaire.

In the above list, retargeting/ remarketing is a direct offer of a good or service, the evaluation questionnaire and password recovery are connected with the provision of a service. Hence regarding these processing operations we answer ‘yes’ to question #3 and move on to Step 4.

But hiring employees to the Moscow office is a processing of personal data not directly related to the offer of goods and services to Europeans. The job offer is neither a product nor a service. Therefore, according to the scheme, we go straight to Step 5, where we will check whether we are monitoring the behavior of candidates for the position.

Another example: a Ukrainian online education platform sells its programming courses in English all over the world, including the EU. Question: does the platform need to comply with GDPR? The online courses on this platform are services and we answer ‘yes’ to the question #3. So we need to go to Step 4 to find out if the activity is aimed at at least one EU country.


Step 4: Do you cover the possibility to provide goods and services to the subjects in the EU?

In fact, this is a question about presence in the European market. Sometimes it can be unclear whether GDPR applies when you receive an order from a person from the EU. In that case, the question to ask is, "Did you intend to offer goods or services in the EU, or is the order incidental?" The answer to this question is not always obvious.

For example, a store from Grodno (Belarus) sells designer clothes. The company's website is available in Russian, Belarusian and English. Orders are accepted in any currency, and delivery is worldwide. It can be assumed that there is a targeting on the EU market. So, if an order comes from someone who lives in the European Union, you have to comply with the GDPR when processing the order.

Reverse example. The store is located in Minsk and delivers flowers around the city for Belarusian rubles. At the same time, a resident of Poland ordered flowers on the store's website to deliver them to his girlfriend from Belarus. Since the store initially targets only Minsk citizens and does not intend to go outside the country, the Pole who placed the order will not be protected by the GDPR.

So if your answer ‘yes’ to the question about being in the EU market in Step 4, then the GDPR will apply to your processing. If your answer is "no," then skip to Step 5.


Step 5. Does the processing involve monitoring the behavior of individuals who are in the EU (e.g., using Google Analytics)?

"Monitoring of behavior" involves surveillance and subsequent behavioral analysis/profiling of individuals. Mostly non-EU companies do this via the Internet in order to predict people's personal preferences, behavior and attitudes.

Consequently, if you are monitoring your European consumers, this process is governed by the GDPR.

An example of monitoring would be tracking users' behavior on a website using cookies. This allows you to offer them more relevant products or services, which is often used by online store owners.

A few more cases from the supervisory authority's guidelines:

  1. An U.S. consulting company advises a mall in France on retail layouts. To do this, it uses WiFi to analyze the movements of people in that mall. In this case, analyzing the movements of shoppers is monitoring their behavior. Since the mall is located in France, the data is also obtained from there. Therefore, the GDPR will apply to this processing.
  2. A developer of mobile fitness apps in Canada analyzes the physical activity of users around the world to optimize performance and improve service quality. This processing is also governed by the European Regulation.

So if you answered the monitoring question positively, the GDPR will apply to the processing. If it's negative, then you don't need to apply GDPR to the processing. Don't forget, though, to comply with your national data protection laws.

As we can see, the scope of GDPR is very broad. A large number of small, medium and large businesses both within and outside of the EU that process their customers' personal data fall under its scope. We've highlighted the list of companies that shall definitely pay attention to GDPR compliance:

- IT product and IT outsourcers;

- banks and fintech companies;

- hospitals and medical centers;

- online schools and course hubs;

- e-commerce and online stores;

- hospitality businesses and hostels;

- travel services and agents;

- logistics and transportation (air, road, rail, sea, etc.);

- communication and telecommunication services.

The Regulation is one of the most pressing issues of concern to entrepreneurs around the world. But GDPR compliance turns into a competitive advantage. You need to put some time and effort to achieve compliance, and in return you will receive respect and trust of customers and partners.

What do you need to do to comply with the GDPR?

Obviously, if you've got to this point, whether to implement the GDPR or not is definitely out of question. Let's talk about the specific actions a company needs to take in order to comply.

GDPR-compliance is, first of all, the alignment of a company's business processes in accordance with the rules of the Regulation. According to the international ISO standard, implementation of the GDPR includes the following measures.

Building a system

  1. Identify the context of a company, determine the needs of it with regard to protection of personal data, as well as the persons involved and interested in this and the scope of work. In other words, it is necessary to check the map, select allies and formulate a goal.
  2. Enlist the support of the company's management (and here we tell how to convince the boss to give money for the implementation of the GDPR), since an extensive change in the processes and significant costs will be needed. What is more, it is not uncommon for companies to limit their marketing activities and make do with less volume of personal data.
  3. Plan measures for protection of personal data, determine the areas of responsibility of various departments and employees.
  4. At the start agree on how the effectiveness of personal data protection program will be assessed. Which means, you have to indicate success markers, KPIs.
  5. Conduct an inventory of personal data and information systems by filling out the register of personal data processing activities under Art. 30 GDPR (RoPA).
  6. Assess the risks for your company in connection with the GDPR (fines, loss of contracts, difficulties in certain markets, customer loyalty). Determine which processes (personal data processing) create most of these risks.
  7. Develop local regulatory acts (information privacy and security policies) based on the level of risks, type of business, corporate culture, organizational structure, market, needs and other characteristics of the company.

Data security

  1. Ensure a proper level of the company's information security. For this reason, it is necessary not only to develop a regulation on information security, but also:
    1. appoint persons responsible for security, vest them with the necessary powers or designate an information security department;
    2. organise processes of information assets control;
    3. develop rules for remote work and use of mobile devices;
    4. ensure management of access to personal data;
    5. screen employees, internal and external audits;
    6. encrypt data;
    7. manage data breaches;
    8. provide physical protection;
    9. agree upon acquisition of new systems;
    10. connect with new providers and monitor them.

Lawfulness of data processing

  1. Highlight, structure and document all purposes of personal data processing. It is necessary to formulate goals not in legalese, but in plain language, and in such a concrete and clear way, so that:
    1. it is possible to distinguish separate processings in the processes according to the GDPR;
    2. it is possible to determine one single legal basis for each processing;
    3. a typical representative of your primary audience can understand what is going to happen with her personal data.
  2. Choose the correct one of the six legal bases for each purpose / processing of personal data by entering in the Register of Processing Activities (RoPA) one legal basis in each line / for each processing. If the basis is consent, it is necessary to formulate and document it. Then one has to fulfill the requirements of ISO27701.7.2.4, starting the process of collecting consent, ISO27701.3.4 - change or revocation of consent, and ISO27701.2.3 - the process of proving that it was provided. If the basis is a legitimate interest, it should be framed, reinforced with safeguards, and documented by conducting a Legitimate Interest Assessment (LIA) and then implementing the safeguards selected in the Assessment. If the basis is a legal requirement, it is necessary to find the relevant legal provision obligating the processing of the relevant personal data and refer to it in the Processing Register.
  3. If among the processed information there are also biometric, medical and other special categories of personal data, then along with the legal grounds for processing, it is necessary to find one of the exceptions under Art. 9 (2), according to which processing these sensitive data is not prohibited for this purpose.
  4. Among the entire list of processing activities that the company conducts, it is necessary to find all processings, which rely on consent as a legal basis. Further, one has to ensure that the company will be able to demonstrate to a supervisory authority, auditor or data subject that it has indeed obtained consent to process the data. Along with proving the fact of obtaining consent, it will be necessary to record the circumstances of its receipt (time, place of giving consent, as well as its contents).
  5. Receive and register consent to personal data processing received from data subjects. Consent can be obtained electronically, on paper or orally. But even in the case of verbal consent, it is necessary to register this consent in the respective log, journal or customer card. Please note that consent is not obtained for all processing activities, as it is only one out of six legal bases for personal data processing. It is also important to remember that choosing consent instead of a more appropriate legal basis (such as legitimate interest or contract) may be considered a violation of the GDPR.
  6. Conduct a Data Protection Impact Assessment (DPIA) for a certain processing of personal data when it is likely to result in a serious risk in terms of consequences. Moreover, it is important to keep in mind that the risk is assessed not for the company, but in relation to the consequences for the data subject, her rights and freedoms. Please, follow Article 35 GDPR and DPIA guidelines.
  7. To enter into binding agreements with all contractors to whom personal data are transferred. It is necessary to sign a Data Processing Agreement (DPA) in accordance with Article 28 GDPR. The agreement must include all provisions referred to in Article 28(3) GDPR, as well as a list of information security measures to ensure integrity, confidentiality and availability of personal data transmitted.
  8. Identify the processes in which the company determines the purposes and means of processing together with someone else, and enter into one or more contracts with joint controllers. The roles and responsibilities of joint controllers must be documented in either a contract or any similar binding document that contains the terms of joint data processing.
  9. Develop, fill in and keep up to date the Records of Personal Data Processing Activities under Article 30 GDPR (RoPA). It is a catalog listing purposes of data processing, which also includes information about the collected data, processors, retention periods, etc. Checking the Records is usually a starting point for the GDPR compliance audits. What is more, it helps to respond to data subjects’ requests quickly, as it makes the search for their data among departments and information systems much easier.

Transparency of processing and right of data subjects

  1. Determine and document at which points a data subject can check a privacy notice / privacy policy for each processing. This is not just about having a relevant document on the website: it is necessary to come up with ways to inform a data subject in case of offline interaction (in the office or at an event), as well as when communicating on the phone. Similarly, one has to determine what rights under the GDPR the subject has in relation to each processing activity (each process) and how the subject will be able to exercise his rights online on the website, in the application, when receiving emails, SMS, push notifications, paper mailings, or when your employee talks to him on the phone. For example, it is important to find out whether a person has the right to be forgotten in this process and how she will, if needed, request a copy of her personal data.
  2. If you make fully automated decisions, having significant consequences for data subjects, you need to analyze what obligations you have in connection with data subjects due to the fact that such meaningful decisions are made automatically. These commitments must be fulfilled. For example, one has to 1) notify data subjects of the existence and logic of those automated decisions, 2) reduce the risks of harm to rights and interests of people, 3) provide them with the right to object to having the decision made automatically.
  3. Determine the scope of issues, about which the company should inform people in connection with processing of their personal data. This list is needed to fill your privacy policies and notices with information about your processes. It will be used to check the completeness of information provided to data subjects. In the GDPR this information is specified in Articles 13 and 14, as well as in the Guidelines on transparency. What is more, data subjects can request information individually. Article 15(1) of the GDPR provides a list of information to be provided to a data subject.
  4. Provide the data subject (with the help of privacy policy and other notices) with clear and easily accessible information about processing of personal data. For example, among other things, specified in Articles 13 and 14 of the GDPR, it is necessary to stipulate the purpose, legal basis, duration of each processing, as well as recipients of personal data. One also has to name the company, give the contacts of its DPO, as well as provide the names of other companies with which it jointly controls data processing. Privacy policies should be easy to understand for a typical representative of the core audience, which means that the privacy policy needs to be translated into each of the languages of the interface. What is more, when drafting a privacy policy, one has to get rid of legal slang, publish information in a visual form, for example, format and structure the text, add icons, pictures, videos, tables and tips. It is also necessary to translate the content from legal jargon into "human" language, integrate easy navigation through the entire policy, and divide the endless sheet of text into coherent parts to show them at the right moment (just in time notice).
  5. Develop and implement a process for revoking consent to processing of personal data. As part of the process-oriented approach, it is necessary to define the “customers” of the process, its goals and results, performance indicators and the necessary resources, suppliers, executors and the owner of the process of withdrawing or changing consent.
  6. Develop and implement a process for managing objections to processing, which is carried out on the basis of a legitimate or public interest. Unlike the process of withdrawing consent, it is assumed that individual requests will be considered and it will be possible to refuse to exercise this right if the request is unreasonable.
  7. Develop and implement a business process for exercising rights to access, have personal data rectified and/or deleted.
  8. Develop and implement a process for notifying third parties and persons who have received personal data from us that the data subject has exercised his right to withdraw consent, have data rectified or object to their processing. This measure is needed so that the recipients of the data can independently decide whether they also need to delete, block or correct the data.
  9. Prepare to receive data subjects’ requests with regard to 1) access to their personal data (requesting a copy of them) in a human-readable form, as well as 2) data portability in a machine-readable form: determine the volume of data and the information systems involved. The respective business process also needs to be implemented.
  10. Develop and document procedures for giving response to data subjects’ requests without undue delay, but no later than one month. Requests may relate to the right to access, rectification, deletion, blocking of personal data, as well as to the right not to be subject to decisions taken automatically, and the right to withdraw consent and object to processing.

Purpose limitation, data minimisation and limitation of data retention period

  1. Based on the declared purpose of processing, it is necessary to reduce the amount of collected data to the minimum that is really needed.
  2. When working with data that are stored in the organization's information system, it is necessary to delete unnecessary information in a timely manner and reduce the circle of persons having access to them.
  3. Determine the level of accuracy needed for each category of personal data processed from the point of view of the company's declared purpose. For those data, the accuracy of which is important, it is necessary to develop a procedure for clarification (for example, errors in names) and regular updating of obsolete data (for example, residence addresses or telephone numbers).
  4. Use anonymous data whenever possible or switch to using them instead of personal data as soon as possible. With the help of the register of personal data processing activities the company should arrange the information: what information is used for each of the purposes. After that you need to make sure that this information is not used for other purposes.
  5. It is necessary to provide for technical or organizational mechanisms of deletion or complete anonymization of personal data after the expiration of the data retention period.
  6. It is important to identify where exactly in the information system, or in which departments of the organization duplicates or temporary files containing personal information may appear as a result of regular processing of personal data. One has to develop procedures and rules for deleting these files as soon as they are no longer needed.
  7. For each category of personal data processed it is necessary to specify a processing period or criteria for its determination. These dates form Data Deletion Schedules.
  8. Implement and document procedures for disposal of media containing personal data.

Data transfer

  1. One needs to use reliable channels for the transfer of personal data in order to prevent the loss of personal information or its falling into the wrong hands.
  2. It is important to arrange cross-border transfer of personal data (including providing access to them) outside the European Union. The most effective transfer mechanism in many cases is signing of the Standard Contractual Clauses (an appendix to the Data Protection Agreement) subject to regular monitoring of counterparties that have signed the agreement (questionnaires and selective audits).
  3. Another useful measure is to maintain a record of countries to which the company sends personal data.
  4. One also has to register transfer of personal data to any third parties (processors, partners, auditors, government agencies, etc.) and ensure that they facilitate the fulfillment of data subjects' requests, such as requests for access, deletion, rectification, etc.
  5. It is necessary to register the disclosure of personal data to any third party (processor, partner, auditor, government agency, etc.).

Data Privacy Officer (DPO)

  1. Appoint a person responsible for personal data protection (in some cases, this is an obligation). The process of bringing a company to the GDPR compliance requires a competent approach. Therefore, for the sake of effectiveness, it is best to consult a professional. But in some cases the Regulation requires a company to hire or outsource a DPO (Data Protection Officer). We advise you to check the questionnaire for hiring a personal data protection inspector, which was developed by our company's consultants in order to assess the professional skills and experience of a candidate during an interview and not to miss a single important question.

It seems that all this is complicated and incomprehensible? Let's take a closer look at some of the things.


Each processing should have a purpose. For example, a person decides to purchase a plane ticket. You have to explain clearly: the company collects your passport data (processing) so that you can purchase a ticket (purpose 1) and to check if you are not blacklisted to enter this country (purpose 2). There should be a legal basis for each purpose.

NB! Think of a legal basis, which is appropriate for purpose 1 and purpose 2 (they may be different legal bases).

The purpose is to be communicated to data subjects in the privacy notice (the so-called "privacy policy"). After that you need to strictly adhere to the purpose declared in order to fulfill the principle of "purpose limitation" (see above). The legal basis is determined on the basis of a purpose.

Legal bases

There are the following types of legal bases for personal data processing:

  • Vital interest – processing is necessary in order to save a person from death or serious injury. The threat must be real and actual at the moment of processing;
  • Contract – it is impossible to perform a contract or provide a service without personal data processing;
  • Legal obligation – when personal data processing is necessary for compliance with a legal obligation;
  • Public interest – if a processing carried out in public interest is within the competence of a certain governmental authority, and an entity that processes personal data does so to assist the governmental authority. There is an important detail: this legal basis is applied if a governmental authority will not succeed without an entity’s help;
  • Legitimate interest – if legitimate interests of a company prevail over rights and interests of data subjects. For example, if a company’s business will be under threat if it stops processing personal data for this purpose;
  • Data subject’s consent – data subject’s permit to process her personal data for a purpose that is of little significance to the data subject. The consent shall be free, specific and given in connection with a particular purpose. The person shall be informed about all significant aspects with regard to use of her data. The consent shall be expressed by an affirmative act.

In the example of selling an airplane ticket and checking against the “black list”, two different legal bases are used: for purpose 1 - a contract, for purpose 2 - a legal obligation.

GDPR Documents

Which documents must a company have in order to comply with GDPR requirements? Our consultants are often asked this question. But there is no answer and there can't be one. The fact is that the documentation reflects the measures taken by the company and is not required by any legal act per se (since paperwork alone is not a demonstration of compliance). Not all the measures are mandatory for companies, although there are some that are necessary for most of them.


Examples of GDPR Documents are:


Binding Corporate Rules (BCR)

Bring Your Own Device Policy

Business Continuity Plan

Contact list for Breach Response Team

Cookie Consent

Cross Border Personal Data Transfer Procedure

Data Breach Notification Letter to Data Subjects (template)

Data Breach Register

Data Breach Report

Data Breach Response Plan

Data Processing Agreement (DPA)

Data Protection Impact Assessment (DPIA)

Data Protection Policy (internal)

Data Protection Officer (DPO) Job Description

Data Retention Policy

Data Sharing Agreement

Data Subject Access Request Form

Data Subject Access Request Procedure

Data Subject Change Request Form

Data Subject Consent Form

Data Subject Consent Withdrawal Form

DPIA Register with Log of DPIA Outcomes and Implementation of Mitigating Controls

DPIA Threshold Assessment

DPIA Methodology

Employee Privacy Notice

Enterprise Privacy Risk Assessment

Guidelines for Data Inventory and Processing Activities Mapping

Incident Report Form

Information Assets for Disposal Log

Internal Audit Checklist

Internal Audit Procedure

Internal Audit Report

Joint Controllership Agreement

Legitimate Interest Assessment (LIA)

Letter of Appointment of Data Protection Officer (DPO)

Parental Consent Form

Parental Consent Withdrawal Form

Privacy or Data Protection Notice

Processor GDPR Compliance Questionnaire

Project Plan for Complying with the EU GDPR

Register of Data Transfers

Register of Privacy Notices

Register of Processing Activities (RoPA)

Standard Contractual Clauses (SCC)


Let's focus on some of these documents in more detail.


A DPA is a data processing agreement that must specify the following aspects (Art. 28 GDPR):


  • scope, nature, and duration of the processing;
  • data subjects (it should be specified whether children's data are being processed);
  • categories of data;
  • rights and obligations of the controller and processor;
  • technical and organizational data protection measures;
  • relations with sub-processors.


Standard Contractual Clauses (SCC) supplement or replace the DPA in the case of cross-border data transfers.

When we are going to transfer data from the EU outside the EU, the DPA alone may not be enough. In order to perform a cross-border transfer, we first need to know whether the country provides an adequate (sufficient) level of data protection. If the country is "inadequate," you can find out how to handle a cross-border data transfer here.

In brief, you can use these very SCC approved by the European Commission. Standard Contractual Clauses (SCC) is a model contract that is concluded between the controller and the processor. Its form cannot be changed because it is standard. However, situations may arise where additional provisions need to be specified, such as the allocation of costs for audits of personal data protection. Then we do the following: the company concludes a DPA with these additional provisions, and the SCC is an appendix to it.

The privacy notice (policy) is a public document that describes the fate of the personal data that the customer entrusts to us. It explains, for example, what personal data is processed by the company and to whom it is transfered. 

In the past, before the widespread dissemination of the GDPR, only lawyers could understand the text of the document: it had too many complicated terms and constructions. Today, according to one of the requirements of the GDPR (Article 12 of the GDPR), a company must inform users not by means of legal language, but in a concise, transparent, understandable way, without using complex terminology (interactivity is only encouraged). For more details on what and how to write in privacy notices (policies), see GDPR articles 12, 13, and 14, or below in the text.

There are slight differences in the requirements depending on whether the company collects personal data directly from the data subject or through intermediaries (recipients). Let's look at each case.

If a company collects personal data from an individual directly, it must include the following information in the policy:

  • the name and contact information of the company, its representative, and data protection officer;
  • the purposes of processing personal data and their legal bases, including the legitimate interests of the organization;
  • details concerning cross-border transfers and the data protection mechanism;
  • the data retention period;
  • the rights of the data subjects;
  • the existence of an automated decision-making system, including profiling;
  • whether the provision of personal data is part of a legal or contractual requirement or obligation, and the possible consequences of not providing personal data.

If the organization receives your data indirectly (through another company), then the privacy policy should include all the same information, except for the last point. Plus, we must list the types (categories) of personal data that are obtained about the person from a third-party source.

A privacy policy is a unique document for each company, so a template privacy policy will not work. "Data Privacy Office" has developed a special privacy policy checklist that will not allow you to miss anything when you create a privacy policy "from scratch", or you can check the correctness of an already created document.


DPIA (Data Protection Impact Assessment) is a method used to systematically and comprehensively analyze the risks caused by data processing and to select protection measures.

In fact, we do not look at the risks to the company, but at the risks of violating people's rights and freedoms. This includes, inter alia, the threat of psychological, physical, social, and economic harm to data subjects.

If you understand that data processing is likely to result in serious risk, make sure you do a DPIA before you start the processing. Article 35(3) of the GDPR provides examples where serious negative consequences are likely to occur. In these cases, a DPIA is mandatory. These are, for example:

  • a large number of surveillance cameras,
  • handling of medical records in a hospital,
  • credit rating,
  • monitoring employees' work devices and their online activities,
  • collecting geolocation data,
  • use of financial information for payments.

Thus, the Data Protection Impact Assessment is a kind of safety cushion that allows you to identify risks and prevent them. It will be the right investment for the future of the company since it protects against problems with supervisory authorities, partners, and customers.


LIA - Legitimate Interest Assessment


If you work with personal data on the basis of legitimate interest, you have to do a legitimate interest assessment. This is both a formal procedure and a document, the contents of which are clearly stipulated. During a LIA, you have to weigh the pros and cons of processing for both the company and the data subject.

The LIA is conducted in three stages:

  1. assessing whether there is a legitimate interest,
  2. determination of the necessity for processing,
  3. balance of interests (the interests of the data subject VS the interests of the company).

The legitimate interests of the company should be reviewed periodically. Over time, depending on external and internal factors, the purpose, nature or context of the processing may change. There is a good chance that this will affect the balance between you and the data subject. Consequently, the LIA should be updated accordingly.

This procedure helps to avoid problems in the future and build customer trust, while not to the detriment of the organization itself.

Where to begin?

This procedure helps to avoid problems in the future and build customer trust, while not to the detriment of the organization itself.




By training employees and heads of departments how to deal with personal data the company reduces its GDPR risks and increases customer loyalty. Starting with training courses and certifications by Data Privacy Office is an effective step towards GDPR-Compliance.


Courses’ Syllabi:


The GDPR Data Privacy Professional course is the most popular GDPR course in the CIS countries, which has been conducted since 2018. It will provide you not only with comprehensive knowledge of the GDPR, but also with understanding of the logic of European standards in terms of personal data protection. The course is suitable for employees of different backgrounds, including non-lawyers. It is available in a group format (both online and offline), as well as in a self-paced mode.

GDPR DPP -Online training Data Protection under GDPR  


Course Syllabus:

  • Privacy,
  • Legislation,
  • GDPR,
  • Notion of personal data,
  • Personal data processing. Data controllers and data processors,
  • Basic rules of GDPR,
  • Legal bases of processing,
  • Rights of data subjects,
  • DPIA and GDPR privacy risk management,
  • Information security,
  • Trans-border transfer of personal data,
  • Privacy by Design,
  • Data Privacy Officer (DPO) and representative in the EU.
  • The syllabus is based on the body of knowledge of CIPP/E international certification in the light of CIS specific features, namely the need to cover the following modules in details:
  • trans-border transfer of personal data,
  • territorial scope of the GDPR,
  • specificities of national regulation of Russia, Belarus and the Ukraine.
  • This course covers 80% of tasks and questions with regard to the GDPR and helps to save on consulting services.


GDPR Data Privacy Manager will provide those who are already working with GDPR “in the field” with everything they need to organize, maintain and manage a company's personal data protection system throughout the entire lifecycle of the system. As a result, such managers not only know and understand the requirements of the GDPR, but also know how to make all this work in any company. This course can be taken in a group (online).

Online Training Data Privacy Manager (DPM)[:


Course syllabus:

  • Standards and frameworks,
  • Management system and its context
  • Planning and management
  • Policies
  • Organizational roles, responsibilities and authorities
  • Processes and procedures
  • Measures and controls of ISO 27701
  • Support
  • Performance evaluation and improvement


The GDPR Data Privacy Technologist course covers the main aspects of ensuring data privacy in IT products and services. It is aimed at building personal data protection processes within the course of development and use of IT products. This course is available only in a self-paced mode (recording).

Online training Data Privacy Technologist


Course syllabus:

  • Privacy and security;
  • How to implement Privacy by Design;
  • ISO 27001 and ISO 27701;
  • Privacy risks and how to avoid them;
  • Privacy lifecycle;
  • Technologies ensuring privacy;
  • Cookies, targeting, face recognition.


CIPP/E (Certified Information Privacy Professional / Europe) Preparation Coaching

Prepare for the international exam in the field of information privacy CIPP/E under guidance of certified experts. The syllabus of coaching matches the list of topics to be covered during the CIPP/E exam:

  • Securing the right to privacy. History of information privacy;
  • EU institutions and contemporary personal data regulation;
  • Scope of the GDPR;
  • Principles of processing personal data;
  • Legal bases for processing;
  • Rights of subjects of personal data;
  • Information Security;
  • Accountability requirements;
  • Cross-border transfer;
  • The specifics of the work of the supervisory authorities and the practice of law enforcement;
  • Features of the protection of personal data in labor relations;
  • Privacy-friendly solutions in video surveillance, IoT, Internet technologies;
  • Data Privacy Officer: nuances of legal status and work. 




The decision to resort to a consultant is especially important when deadlines are tight and there is no room for error. The consultant will ensure that your actions are correct and provide you with a clear rationale. If you turn to Data Privacy Office consultants, they will also take into consideration peculiarities of your business, as well as the resources and processes available.

Клиенты Data Privacy Office зачастую заказывают комплексные продукты вроде GDPR Roadmap или Аутсорс DPO. Речь о них пойдет чуть ниже. Но некоторые выбирают отдельные услуги по GDPR (Аудит соответствия GDPR, Аудит политики приватности, Проведение DPIA, GDPR gap analysis, Data mapping, Privacy Engineering Team, Реестр персональных данных).

Data Privacy Office customers often order complex products like GDPR Roadmap or DPO Outsourcing. We will talk about them below. But some opt for separate services under the GDPR, such as GDPR Compliance Audit, Privacy Policy and Notice Audit, Data Protection Impact Assessment, GDPR Gap Analysis, Data Mapping, Privacy Engineering Team Outsourcing, Record of Processing Activities.


GDPR Roadmap + Implementation Program

The program is designed for systematic implementation of personal data protection in accordance with the international standard ISO 27701. It is suitable for all types of companies: from IT startups to large banks and fintech companies. This is your opportunity to delegate coordination of the project to bring your business to GDPR-Compliance. We use our own “GDPR Roadmap” methodology to quickly set up personal data protection in small companies that do not have a set of well-built business-processes yet.

Implementation steps:

  • Creating a privacy team (working group) for implementation and conducting training for the members of the team based on the body of knowledge of the international certification CIPP/E;
  • Identifying gaps that are affected by the GDPR;
  • Selection of and planning suitable ISO27701 activities according to their priority;
  • Assessment of resources needed to implement the GDPR Roadmap;
  • Creation of an action plan for implementation of a privacy protection system;
  • Implementation of the GDPR into the processes based on the following rule: eliminate violations of the GDPR while not interfering into pursuing business goals.

Check details here.


DPO (Data Protection Officer) Outsourcing 

The company gets an experienced and competent specialist who is able to promptly and correctly resolve issues related to the GDPR and - what is equally important - to take responsibility for them. The Data Privacy Office expert embodies your protection against the supervisory authority. The functions of the DPO include the following:

  • Taking care of communication and consulting colleagues on any and all privacy issues;
  • Coordination of work on the protection of personal data;
  • Consideration of requests from personal data subjects;
  • Analysis of operations, which are not compliant with the GDPR;
  • Communication with supervisory authorities in any EU and CIS country;
  • Maintaining the register of processing activities in accordance with ст. 30 GDPR;
  • Regular update of internal and external documents;
  • Conducting a Data Protection Impact Assessment (DPIA) for risk processes;
  • Management of personal data breaches and notifications of data subjects and supervisory authorities.

Outsourced Privacy Engineering Team

A PETeam is a team formed by a certified GDPR expert, an engineer (software architect), and, if necessary, one or more programmers. All you need to do is to test the work and implement solutions. The PETeam provides support with the following tasks: 

  • Conduction software audits;
  • Assistance in drafting specific requirements that address the needs of your product;
  • Revision of the code and introducing changes to it - the team is deeply involved in your product;
  • Testing the knowledge of your employees and improving their skills using a specific product as an example;
  • Providing your specialists with advice and determining tasks related to changes and improvements for the further implementation of the GDPR;
  • Setting up product development processes in terms of personal data protection;
  • Final testing of the product to assess the quality of the developed personal data protection system.


Additional service:

  • Formation and training a similar Privacy Engineering Team within your company, which will be capable of introducing privacy into all your future products.
Penalties for failure to comply with GDPR rules

As you may have realized, the General Data Protection Regulation is a serious legal act of direct application, the violation of which entails serious sanctions. The European Union, endeavoring to guarantee the protection of personal data, has set quite severe penalties.

Violations of the Regulation are subject to fines of up to EUR 10,000,000 or up to EUR 20,000,000: the amount varies depending on the GDPR article. If the company's turnover is over half a billion euros, the maximum penalty is calculated as a percentage of the global turnover for the previous year: from 2% to 4%. The sanctions are set by Article 83 of the GDPR.


Importantly, supervisory authorities have the right to impose administrative fines on both controllers and data processors. Fines can be imposed instead of, or together with other measures prescribed by the supervisory authorities.

The top 5 largest fines during the period of application of the Regulation:

  • In January 2019, Google was fined €50 million because their privacy policy did not comply with GDPR requirements. The policy was written on many pages and in complicated language, preventing users from understanding how their personal data was being processed. In addition, the consent for processing personal data also did not comply with the Regulation, as all the boxes had already been pre-ticked for the users.
  • H&M was fined 35.3 million euro by the Hamburg supervisory authority. This decision was made after the Swedish mass-market brand had monitored hundreds of its employees. This processing included data about the personal lives of employees, which subsequently became available throughout the company.
  • TIM (telecommunications operator) was fined 27.8 million euro by the Italian supervisory authority. The company committed a number of violations, including: lack of consent for marketing activities, approaching data subjects who asked not to contact them with marketing offers, invalid consents collected in TIM applications, lack of adequate security measures to protect personal data, and lack of clear data retention periods.
  • In July 2018, British Airways was fined €22 million for not having proper technical information security measures under Article 32 of the GDPR.
  • Hotel group Marriott International, Inc. was fined 20.5 million euros. In 2016, Marriott acquired another group of companies, which was also related to the hotel business. Later it turned out that since 2014 this group of companies had a serious vulnerability in the data protection system. Marriott only found out about it in 2018, after the leak. It affected 339 million users. The information included banking information and other personal data.

These five cases only prove the importance of complying with the GDPR. Implementing GDPR is usually much more profitable for a company than acting on a "maybe we'll get away with it" principle. Regulators usually find violations due to dissatisfied customers, the media, bloggers, disgruntled former employees, etc. In addition, privacy becomes a marketing differentiator for new brands and attracts customers. Finally, getting your systems in order and putting processes in place is a task that any business seeking success will face sooner or later.


We hope you found this article helpful. Now you understand the basic rules of the GDPR and how to work with them. However, if it is difficult for you to cope on your own, then you can always turn to our experts for help. This will become an investment in the future of your company, as well as a competitive advantage in the market right now. So, as a GDPR-Compliant, you will earn trust and respect from customers and partners, which is undoubtedly a valuable resource for any business.

The course is loading, wait a few seconds