Consent: Collect clear, informed consent for marketing.

Contractual Necessity: Process data to fulfil orders and services.

Legal Obligation: Comply with laws (e.g., tax, financial regulations).

Legitimate Interests: Process data for business needs like marketing and fraud prevention, ensuring these don’t override individual rights.

Documentation: Keep records of the lawful basis for data processing and update privacy policies to inform customers.
​

Access: Provide an easy way for individuals to see and download their data.

Rectification: Allow updates to incorrect or incomplete data.

Erasure: Offer a process to delete data upon request if conditions are met.

Restriction of Processing: Temporarily limit data processing if requested.

Data Portability: Provide data in a machine-readable format like CSV or JSON.

Objection: Allow opt-out from marketing and other processing activities.

Automated Decision Making: Inform and provide recourse against automated decisions affecting individuals.
​

During Design:

Default Settings:

Ongoing Practices:

Technical Measures:

Organisational Measures:

Requirement Assessment: Determine if a DPO is needed based on data processing activities.

Appointing a DPO: Ensure the DPO has expertise in data protection laws and practices, and provide them with the necessary resources and independence.

Documentation: Maintain detailed records of all data processing activities.

Regular Updates: Periodically update records to reflect changes.

High-Risk Activities: Identify activities requiring DPIAs.

Conducting DPIAs: Follow a structured process to assess and mitigate risks.

Incident Response Plan: Develop and maintain a plan for addressing data breaches.

Detection Mechanisms: Implement tools to detect breaches promptly.

72-Hour Notification: Notify the relevant authority within 72 hours if a breach occurs.

Content of Notification: Include details about the breach, its consequences, and measures taken.

High-Risk Notification: Inform affected individuals if their rights are at high risk.

Content of Notification: Provide clear information about the breach and protective measures.

Standard Contractual Clauses (SCCs): Use SCCs for transfers to non-EU countries.

Binding Corporate Rules (BCRs): Implement BCRs for intra-group transfers.

Adequacy Decisions: Transfer data to countries with an adequacy decision from the European Commission.
​

Impact Assessments: Regularly review and document international transfers.

Audits: Conduct periodic audits to ensure compliance.

Clear Opt-In: Require a clear, affirmative action for consent.

Detailed Information: Provide detailed information about data processing purposes.
​

Record Keeping: Maintain records of obtained consents.

Easy Withdrawal: Ensure individuals can easily withdraw consent.

Contractual Clauses: Include GDPR-compliant clauses in contracts with data processors.

Due Diligence: Assess vendors’ compliance with GDPR before entering agreements.
​

Regular Audits: Audit vendors and partners regularly.

Compliance Documentation: Maintain records of all vendor agreements and compliance checks.

Regular Sessions: Conduct regular GDPR training for all employees.

Specialised Training: Offer specialised training for those handling sensitive data.
​

Ongoing Communication: Implement communication strategies to keep data protection a priority.

Resources and Support: Provide access to GDPR resources and support for employees.

Point of Contact: Designate a contact for communications with supervisory authorities.

Notification Procedures: Establish procedures for notifying authorities of breaches and other issues.
​

Timely Cooperation: Respond promptly to requests or investigations.

Documentation: Maintain detailed records of interactions with authorities.