Question 1

What is GDPR and who does it apply to?

Accepted Answer

GDPR (General Data Protection Regulation) is the EU's data protection law that came into effect on May 25, 2018. It applies to: organizations established in the EU processing personal data, non-EU organizations offering goods/services to EU residents, and non-EU organizations monitoring behavior of EU individuals. It applies regardless of where the processing takes place.

Question 2

What are the key principles of GDPR?

Accepted Answer

GDPR is built on seven key principles: Lawfulness, fairness, and transparency; Purpose limitation; Data minimization; Accuracy; Storage limitation; Integrity and confidentiality (security); and Accountability. Organizations must demonstrate compliance with all these principles when processing personal data.

Question 3

What is the difference between a data controller and data processor?

Accepted Answer

A data controller determines the purposes and means of processing personal data-they decide why and how data is processed. A data processor processes personal data on behalf of the controller-they act on the controller's instructions. An organization can be both a controller (for their own data) and a processor (for clients' data).

Question 4

What are the lawful bases for processing under GDPR?

Accepted Answer

GDPR specifies six lawful bases: Consent (freely given, specific, informed), Contract (necessary for contract with data subject), Legal obligation, Vital interests (life-threatening situations), Public task (official authority or public interest), and Legitimate interests (balanced against data subject's rights). You must identify and document your lawful basis before processing.

Question 5

What rights do data subjects have under GDPR?

Accepted Answer

GDPR grants eight data subject rights: Right to be informed, Right of access, Right to rectification, Right to erasure (right to be forgotten), Right to restrict processing, Right to data portability, Right to object, and Rights related to automated decision-making and profiling. Organizations must have processes to respond to these requests within one month.

Question 6

What is a Data Protection Impact Assessment (DPIA)?

Accepted Answer

A DPIA is a process to identify and minimize data protection risks of a project. DPIAs are mandatory when processing is likely to result in high risk, including: systematic and extensive profiling, large-scale processing of special categories of data, and systematic monitoring of public areas. DPIAs must be conducted before processing begins.

Question 7

When is a Data Protection Officer (DPO) required?

Accepted Answer

A DPO is mandatory when: the organization is a public authority, core activities require regular and systematic monitoring of individuals at large scale, or core activities involve large-scale processing of special categories of data. Even if not mandatory, appointing a DPO is recommended. The DPO must be independent and report to the highest management level.

Question 8

What are the GDPR breach notification requirements?

Accepted Answer

Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware, unless unlikely to result in risk to individuals' rights. If there is high risk to individuals, they must also be notified without undue delay. Organizations must document all breaches, including those not reported, with facts, effects, and remedial actions.

Question 9

What documentation is required for GDPR compliance?

Accepted Answer

Required documentation includes: Records of Processing Activities (ROPA), privacy notices, consent records, Data Processing Agreements (DPAs), DPIA reports, breach records, data subject request logs, training records, and policies and procedures. Controllers with fewer than 250 employees have limited exemptions for ROPA.

Question 10

What are the rules for international data transfers?

Accepted Answer

Personal data can only be transferred outside the EU/EEA to countries with adequate protection or using appropriate safeguards. Options include: adequacy decisions (e.g., UK, Canada), Standard Contractual Clauses (SCCs), Binding Corporate Rules, or specific derogations. The EU-US Data Privacy Framework provides a mechanism for certified US organizations.

Question 11

What are the penalties for GDPR non-compliance?

Accepted Answer

GDPR has a two-tier penalty system: Up to €10 million or 2% of global annual turnover for violations of technical requirements, and up to €20 million or 4% of global annual turnover for violations of basic principles or data subject rights. Supervisory authorities can also issue warnings, reprimands, and orders to cease processing.

Question 12

What is privacy by design and by default?

Accepted Answer

Privacy by design means integrating data protection into the design of systems and processes from the outset, not as an afterthought. Privacy by default means that the strictest privacy settings apply automatically without manual input from the user. Both are required under GDPR Article 25 and should be documented.

Question 13

How do I handle consent under GDPR?

Accepted Answer

GDPR consent must be: freely given (no imbalance of power), specific (for defined purposes), informed (clear language about processing), unambiguous (clear affirmative action), and as easy to withdraw as to give. Pre-ticked boxes are invalid. Consent must be documented, and separate consent is needed for different processing purposes.

Question 14

What is a Records of Processing Activities (ROPA)?

Accepted Answer

ROPA is a document maintained by controllers and processors listing their data processing activities. It must include: purposes of processing, categories of data subjects and personal data, recipients, transfers to third countries, retention periods, and security measures. It must be made available to supervisory authorities on request.

Question 15

How does GDPR affect cookies and online tracking?

Accepted Answer

GDPR (alongside the ePrivacy Directive) requires consent for non-essential cookies. Essential cookies (strictly necessary for service functionality) do not require consent. Analytics, advertising, and tracking cookies require explicit consent before being placed. Cookie banners must provide granular choices and cannot use pre-ticked boxes or dark patterns.

GDPR Compliance Checklist Generator

Where is your organization established?

How It Works

Who Should Use the GDPR Compliance Checklist?

GDPR Compliance Checklist FAQ

More Resources

Policy Templates

Core Security

Access & Identity

Data Protection

Network & Infrastructure

Operations

Incident & Continuity

Development

Governance