– Compliance with data processing principles– Promotes data subject rights– Secures data– Complies with data transfer and sharing rules
GDPR specifies when companies can legally process personal data Before collecting data, an organization must prove its legality When collecting data, the company must inform users of this basis
Data controllers are responsible for GDPR compliance The controller must ensure and prove that its third-party processors meet GDPR requirements
To safeguard personal data, controllers and processors must implement security measures While the GDPR does not require specific controls, companies must take technical and organizational measures
A data protection impact assessment is required before a company processes data that puts subjects’ rights at risk
DPIA-triggering processing include automated profiling and large-scale processing of special categories of personal data
If it processes special category data or monitors subjects extensively, a company must hire a DPO DPOs must be appointed by all public agencies
Organizations notify supervisory authorities and data subjects of data breachesMost personal data breaches must be reported to supervisory authorities within 72 hours