Skip to content

How do I comply with GDPR?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive framework for data protection and privacy rights that went into effect across the European Union (EU) on May 25, 2018. Designed to replace the outdated Data Protection Directive of 1995, GDPR aims to strengthen the protection of personal data and give individuals greater control over how their information is used by organizations. The regulation applies not only to EU member states but also to any entity that processes the personal data of individuals living within the EU, regardless of the organization's location or size. Failure to comply with GDPR can result in significant fines and reputational damage, making it essential for businesses and other organizations to understand and follow its requirements.

Heading: How do I comply with GDPR?

To comply with GDPR, organizations need to undertake a series of actions to ensure the protection of personal data and respect the privacy rights of individuals. First and foremost, organizations should appoint a data protection officer and establish a compliance program that includes regular training and an ongoing assessment of data protection practices. It is essential to conduct privacy impact assessments and establish privacy policies and procedures that address the key principles of GDPR, such as lawfulness, fairness, and transparency in data processing activities. Organizations should also implement appropriate technical and organizational security measures to protect personal data from unauthorized access, disclosure, alteration, or loss. Additionally, organizations must maintain records of processing activities and be prepared to respond to subject access requests and personal data breaches in accordance with GDPR requirements. Finally, obtaining explicit consent for processing personal data, respecting the rights of individuals, and incorporating privacy by design into all processing operations are further steps to achieve compliance with GDPR.

Who does GDPR apply to?

The General Data Protection Regulation (GDPR) applies to a wide range of individuals and organizations. It is applicable not only to companies and entities based in the European Union (EU) but also to any organization that processes personal data of individuals residing within the EU, regardless of its geographic location or size. This means that if your organization stores or processes personal information about EU residents, even if you are located outside the EU, you must comply with the requirements of GDPR.

GDPR covers personal data, which is any information that can be used to directly or indirectly identify a person. It includes a broad range of data, such as names, addresses, email addresses, identification numbers, financial information, and more.

The regulation places specific obligations on organizations that process personal data, including the need to obtain clear and informed consent from individuals, implement proper security measures to protect the data, appoint a data protection officer (DPO) to oversee compliance, and provide individuals with the ability to exercise their rights, such as the right to access, rectify, and erase their personal data.

By understanding and adhering to the requirements of GDPR, organizations can not only avoid substantial fines and penalties but also demonstrate their commitment to protecting the privacy rights of individuals.

Supervisory authority & protection officers

One of the key aspects of complying with GDPR is understanding the roles and responsibilities of the supervisory authority and protection officers. The supervisory authority is an independent public authority established by each member state to ensure compliance with GDPR and protect individuals' rights regarding their personal data. This authority is responsible for monitoring and enforcing GDPR, conducting investigations, and imposing penalties for non-compliance. Protection officers, also known as data protection officers (DPOs), play a crucial role in organizations by ensuring compliance with GDPR and promoting a culture of data privacy. They are responsible for providing advice, monitoring compliance, conducting privacy impact assessments, and acting as a point of contact for individuals and the supervisory authority. Having a clear understanding of the roles and responsibilities of the supervisory authority and protection officers is essential for organizations to effectively comply with GDPR and protect individuals' personal data.

Understanding your supervisory authority

In order to comply with the General Data Protection Regulation (GDPR), it is crucial to understand the role and responsibilities of your supervisory authority. The supervisory authority, also known as the Data Protection Authority (DPA), plays a critical role in overseeing and enforcing GDPR compliance.

One of the primary functions of the supervisory authority is to supervise the application of the GDPR within their jurisdiction. They ensure that organizations are following the strict rules and regulations set forth by the GDPR when it comes to processing personal data. This includes monitoring the processing activities, conducting investigations, and issuing fines or penalties for non-compliance.

Another crucial function of the supervisory authority is to provide expert advice on GDPR compliance. They act as a valuable resource for organizations seeking guidance on how to interpret and implement the GDPR requirements. Their expertise helps businesses understand their legal obligations and develop effective data protection policies and practices.

Additionally, the supervisory authority handles complaints from individuals regarding potential violations of their data protection rights. They investigate these complaints and take appropriate actions to ensure that individuals' privacy rights are protected.

It is important to note that the supervisory authority has the power to impose fines for non-compliance with GDPR regulations. These fines can be substantial, depending on the severity of the violation. This serves as a deterrent and encourages organizations to prioritize data protection and adhere to the GDPR requirements.

The role of a data protection officer (DPO)

The role of a Data Protection Officer (DPO) is crucial for organizations aiming to comply with the General Data Protection Regulation (GDPR). The DPO is responsible for advising the organization on GDPR compliance practices, monitoring data handling processes to ensure compliance, and acting as the primary point of contact for data processing inquiries and GDPR regulators.

To effectively carry out these responsibilities, a DPO must possess expert knowledge of data protection laws and practices. They need to have a deep understanding of the GDPR requirements and be able to interpret and apply them to the organization's specific processing activities. This includes staying up to date with any changes or updates to privacy laws and regulations.

The DPO should also have a thorough understanding of the organization's data handling practices, including how personal data is collected, stored, processed, and shared. This knowledge enables them to monitor data handling processes and identify any potential compliance issues or risks.

Furthermore, the DPO should have excellent communication and problem-solving skills. They must effectively communicate with internal stakeholders to ensure compliance throughout the organization and serve as a reliable point of contact for inquiries from data subjects and supervisory authorities.

Public authority & privacy policies

Public authorities have a crucial role in ensuring compliance with GDPR regulations. As custodians of personal data collected and processed by government bodies, public authorities must establish robust privacy policies to protect individuals' rights and maintain the highest level of data security. These policies outline the lawful basis for processing personal data, including explicit consent where required, and establish strict rules for data handling. Public authorities must also conduct privacy impact assessments to identify and mitigate privacy risks related to their processing operations. Additionally, they should have effective mechanisms in place to address subject access requests and promptly respond to any personal data breaches. By implementing comprehensive privacy policies, public authorities can demonstrate their commitment to protecting personal data and upholding the principles of GDPR compliance.

Obtaining permission to process data from public authorities

Obtaining permission to process data from public authorities is a crucial step in complying with the General Data Protection Regulation (GDPR). To ensure compliance, organizations must follow specific steps when seeking permission:

  1. Identify the relevant public authority: Determine which public authority has jurisdiction over the data you wish to process. This authority may be a supervisory authority or a government agency responsible for data protection.
  2. Establish a lawful basis: Before processing any data, you must establish a lawful basis for doing so. The lawful bases outlined under the GDPR include consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests.
  3. Obtain explicit consent: If you rely on consent as the lawful basis for processing, explicit consent is required, particularly when dealing with sensitive personal data. Explicit consent must be freely given, specific, informed, and unambiguous.
  4. Ensure transparency: Transparency is vital when processing data obtained from public authorities. Clearly inform individuals about the purpose of data collection, storage, and processing. This includes providing information in a clear and concise manner, using plain language, and ensuring individuals understand their rights.
  5. Document the permission: Maintain a record of the permission obtained from the public authority. This documentation should include details of the lawful basis, explicit consent, and any other relevant information.

By following these steps, organizations can obtain permission to process data from public authorities in a compliant manner. Remember, GDPR compliance is an ongoing process, and regular reviews of data processing activities are necessary to ensure continued compliance.

Creating and implementing a privacy policy

Creating and implementing a privacy policy is essential for any website that collects and processes personal data. This policy serves as a legal document that outlines how the website collects, uses, and protects user information. It is important to regularly update the privacy policy with critical information about data collection and usage to ensure compliance with GDPR regulations.

When collecting email addresses for marketing purposes, it is crucial to clearly inform users about the types of correspondence they can expect. This may include newsletters, promotional offers, or updates about products and services. Users must have the option to easily unsubscribe or opt out from receiving these communications.

To align with GDPR principles, it is important to include provisions in the privacy policy that make it easy for individuals to exercise their rights. This includes the ability to request deletion of their data or to cease data processing. Additionally, the privacy policy should offer an objection process, allowing users to express their concerns and preferences regarding their personal data.

Privacy by design is a critical concept that should be integrated into the development and design of the website. This involves incorporating appropriate technical and organizational measures to enhance data protection. By implementing privacy-friendly features from the beginning, such as data anonymization and encryption, privacy risks can be minimized.

Processing activities & protection impact assessments (PIAs)

Processing activities refer to any operation or set of operations performed on personal data, such as collecting, storing, or using it for specific purposes. In order to comply with GDPR, organizations must carefully evaluate and document their processing activities to ensure they are lawful and in line with the privacy principles outlined in the regulation. This includes conducting Protection Impact Assessments (PIAs) for high-risk processing activities. PIAs involve a systematic assessment of the potential privacy risks and the necessary measures to mitigate them. It helps organizations identify and address any potential risks to individuals' rights and freedoms before processing their personal data. By conducting PIAs, organizations can demonstrate their compliance efforts, protect individuals' privacy, and build trust with their users.

Identifying and documenting all personal data processing activities

Identifying and documenting all personal data processing activities is an essential step towards compliance with the General Data Protection Regulation (GDPR). As a responsible organization, it is crucial to have a clear understanding of the personal data you hold and the various processes involved in its handling.

Start by listing all the personal data you hold, including details about its source and the entities you share it with. This could include information such as names, contact details, IP addresses, and more. Document this information thoroughly as part of your record-keeping to demonstrate transparency and accountability.

Regularly review and update these records to ensure accuracy. In the event you discover any inaccuracies in the shared personal data, it is your responsibility to inform the other organization to correct their records. This proactive approach not only helps maintain data accuracy but also strengthens the trust with individuals.

By identifying and documenting personal data processing activities, you lay the foundation for a robust data protection strategy. This enables you to effectively assess privacy risks, implement necessary security measures, and ensure compliance with GDPR's principles and requirements.

Remember to maintain strict confidentiality and privacy when handling personal data. Adhering to lawful basis for processing, obtaining explicit consent, and respecting individuals' rights are vital aspects of compliance. Keep records of processing operations, conduct privacy impact assessments, and establish clear privacy policies to mitigate risks and demonstrate compliance.

By following these compliance practices and regularly reviewing your data processing activities, you can ensure that your organization meets the requirements of GDPR, protects personal data, and upholds individuals' privacy rights.

Conducting protection impact assessments (PIAs)

Conducting protection impact assessments (PIAs) is a crucial step in ensuring compliance with the GDPR regulations. PIAs help organizations identify and mitigate risks associated with processing personal data. Here is a step-by-step process for conducting PIAs effectively:

  1. Identify the need for a PIA: Determine whether your processing activities involve high-risk data processing, such as processing sensitive personal data or engaging in systematic monitoring.
  2. Describe the processing activities: Document the purpose, nature, and scope of the processing activities, including any special category data or criminal offense data involved.
  3. Assess risks: Conduct a thorough assessment of the potential risks and impacts on individuals' rights and freedoms. Consider factors such as the likelihood and severity of the risks, the vulnerability of individuals, and the complexity of the processing activities.
  4. Identify measures to reduce risks: Identify and implement appropriate measures to mitigate the identified risks. This could include technical and organizational measures to enhance data security and protect individuals' privacy.
  5. Consult relevant stakeholders: Involve key stakeholders, such as data protection officers, legal advisors, and IT professionals, in the consultation process. Seek their expertise and input to ensure that all perspectives are considered.
  6. Obtain necessary sign-offs: Ensure that the PIA includes necessary sign-offs from management or other relevant decision-makers. This demonstrates accountability and commitment to protecting individuals' rights and privacy.
  7. Record outcomes: Document the outcomes of the PIA, including the identified risks, measures taken to mitigate them, and any decisions or changes implemented. This record serves as evidence of compliance and can be referenced in future audits or as part of ongoing compliance activities.

By following these steps, organizations can effectively conduct PIAs for their high-risk processing operations, thereby demonstrating their commitment to protecting individuals' privacy rights and complying with the GDPR regulations.

Establishing appropriate technical and organizational measures for PIAs

Establishing appropriate technical and organizational measures is crucial for conducting effective protection impact assessments (PIAs) and ensuring compliance with the General Data Protection Regulation (GDPR). These measures focus on the 'security of processing' and play a significant role in safeguarding personal data.

First and foremost, utilizing up-to-date software tools is essential. Outdated software can harbor vulnerabilities, making it easier for unauthorized individuals to access sensitive information. By regularly updating software and applying security patches, organizations can significantly reduce the risk of data breaches and protect individuals' privacy.

Documenting the nature and scope of data processing is fundamental as it provides a clear understanding of how personal data is collected, used, and shared. This documentation helps identify potential risks and enables organizations to take appropriate measures to mitigate them.

Segregating data and applying appropriate security measures are vital steps in protecting personal data. By categorizing data based on sensitivity and applying suitable access controls, organizations can limit the number of individuals who have access to sensitive information, minimizing the risk of unauthorized disclosure or misuse.

Encrypting and pseudonymizing data provide an additional layer of protection. Encryption transforms data into unreadable formats without the decryption key, ensuring that even if the data is compromised, it remains unintelligible to unauthorized parties. Pseudonymization involves replacing identifying information with a pseudonym, further reducing the risk associated with the processing of personal data.

Making personal data available to data subjects allows individuals to exercise their rights under the GDPR, such as access, rectification, and erasure. It is essential to establish mechanisms for fulfilling these requests promptly and securely to uphold individuals' privacy rights.

Regularly testing and evaluating the effectiveness of controls is crucial in maintaining the security of processing. By conducting regular security audits, vulnerability assessments, and penetration testing, organizations can identify weaknesses in their systems and take appropriate corrective actions to enhance their data protection measures.

Introducing a data protection by design approach

A key requirement for complying with the General Data Protection Regulation (GDPR) is implementing a data protection by design approach. This approach focuses on integrating data protection and privacy controls into the design and development of processing activities and systems.

By incorporating privacy considerations from the beginning of a project, organizations can ensure the highest level of data protection. This proactive approach ensures that privacy controls are embedded into the foundation of processing activities and systems, rather than being added as an afterthought.

Data protection by design involves identifying and addressing privacy risks at the design stage of a project. This includes conducting privacy impact assessments, which evaluate the potential privacy risks associated with processing activities and the measures needed to mitigate them. Implementing privacy controls at this early stage helps organizations enhance data protection and privacy by default.

Furthermore, a data protection by design approach encourages organizations to adopt privacy-preserving technologies and techniques. These can include using encryption and pseudonymization methods to safeguard personal data and reduce the risk of unauthorized access or disclosure.

By embracing a data protection by design approach, organizations can demonstrate their commitment to GDPR compliance and the protection of individuals' privacy. This proactive approach ensures that privacy controls are thoughtfully integrated into the design and development of processing activities and systems, providing individuals with the highest level of data protection from the start.

Protection policies & email addresses

Protection Policies:

Protection policies are essential for ensuring compliance with GDPR. These policies outline an organization's commitment to data protection and privacy and provide guidance on how personal data should be handled. They establish a framework for protecting personal data by defining the principles, procedures, and responsibilities for data protection within the organization. Protection policies should cover various aspects, such as data security measures, lawful basis for processing, retention periods, subject rights, breach notification procedures, and compliance practices. By implementing comprehensive protection policies, organizations can demonstrate their commitment to data protection and establish a culture of privacy within the organization.

Email Addresses:

Email addresses are considered personal data under GDPR and must be processed in accordance with the regulation's requirements. Organizations need to ensure that they have a lawful basis for processing email addresses and that individuals have given their explicit consent for their email addresses to be used for the intended purposes. It is important to have clear privacy policies in place that inform individuals about how their email addresses will be used, who will have access to them, and how long they will be retained. Organizations should also have robust security measures in place to protect email addresses from unauthorized access or disclosure. In addition, individuals have the right to access, rectify, and erase their email addresses, and organizations must have processes in place to respond to such requests in a timely manner. Compliance with these requirements helps organizations build trust with individuals and demonstrates a commitment to protecting their personal data.

Developing an internal data protection policy

Developing an internal data protection policy that complies with GDPR involves several key steps. Firstly, organizations need to understand the requirements set forth by the GDPR and identify how these requirements apply to their specific processing activities. This includes identifying the lawful basis for processing personal data and ensuring that all processing operations adhere to the principles of data protection.

Integrating privacy by design principles is essential during the development of the policy. This means considering data protection and privacy from the very beginning of any new project or process, rather than as an afterthought. Privacy by design principles ensure that privacy and data protection measures are built into the design and operation of systems and workflows.

Regular self-audits are important for assessing and maintaining GDPR compliance. Organizations should conduct internal audits to evaluate their data protection practices, identify any gaps or risks, and take corrective actions when necessary. This ongoing process helps demonstrate an organization's commitment to protecting personal data and enables them to make any necessary improvements.

Additionally, organizations must ensure that personal data is collected, stored, and processed securely. This includes implementing appropriate data security measures, such as encryption and access controls, to protect against unauthorized access, loss, or breaches.

By developing an internal data protection policy that incorporates privacy by design principles and conducting regular self-audits for GDPR compliance, organizations can demonstrate their commitment to protecting personal data and minimizing privacy risks.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...