New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Data protection (EU)

GDPR – EU General Data Protection Regulation

The EU's data protection regulation – lawful bases, data-subject rights, and accountability obligations for any organisation handling EU personal data.

The General Data Protection Regulation (GDPR) is the EU's data protection law and still the world's most influential privacy regime – the template that Australian, UK, and dozens of other reforms borrow from. It carries the fines everyone quotes (up to €20 million or 4% of global annual turnover, whichever is higher), but its real demand is quieter and harder: accountability. Under Article 5(2) you must be able to demonstrate compliance – which makes GDPR, at its core, an evidence problem. Evidence is what we do.

Yes, it probably applies to youLink to this section

GDPR doesn't stop at the EU border. Under Article 3 it applies to any organisation, anywhere, that offers goods or services to people in the EU or monitors their behaviour – an Australian SaaS company with European users, an exporter with EU customers, a retailer whose analytics tracks EU visitors. If that's you, you're expected to meet the same bar as a company in Berlin, and your EU customers' procurement teams will ask you to prove it. (The UK GDPR mirrors the regime for the UK market – align once and you substantially cover both.)

The architecture: principles, bases, rightsLink to this section

Three structures carry most of the regulation's weight:

  • Seven principles (Article 5) – lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every other obligation elaborates on these.
  • Six lawful bases (Article 6) – every processing purpose needs exactly one, chosen before processing starts. Consent is the most abused basis, not the default one; legitimate interests requires a documented balancing test.
  • Data subject rights (Articles 12–22) – access, rectification, erasure, restriction, portability, objection, and protections around automated decision-making. Requests arrive through any channel, the clock is one month, and the staff member who receives one needs to recognise it. That is a training problem before it is a legal one.

Security and the 72-hour clockLink to this section

Article 32 requires security measures appropriate to the risk – and regulators read "organisational measures" to include a trained workforce, since human error remains the leading cause of reported breaches. When a breach does occur, Article 33 gives you just 72 hours to notify the supervisory authority, and Article 34 requires telling affected individuals when the risk is high. Organisations that meet the deadline are the ones that rehearsed the decision-making, not just the technology.

Accountability: the paper trail that isn't optionalLink to this section

GDPR names its evidence artefacts explicitly: records of processing activities (Article 30), data protection impact assessments for high-risk processing (Article 35), processor agreements (Article 28), documented consent, and – where required – a data protection officer whose statutory tasks include staff training and awareness (Article 39). An assessor or authority asking questions starts with these documents. If they exist, are current, and match reality, most inquiries end quickly.

How GDPR relates to other frameworksLink to this section

ISO 27701 is the natural certification companion – a privacy management system whose controls map onto GDPR obligations, giving you an auditable way to demonstrate Article 5(2) accountability. ISO 27001 substantiates Article 32 security. And for Australian organisations, GDPR work is largely reusable for the Privacy Act – the reform direction is convergence, so building to the higher bar pays twice.

How we helpLink to this section

We bring GDPR down from legal abstraction to things your teams can actually do and evidence:

  • Scoping and gap assessment. Whether and how GDPR applies to you, what processing you actually do, and a prioritised remediation plan in plain language.
  • The accountability pack. RoPA, lawful-basis register, DPIA process, privacy notices, and Article 28 processor terms – built as living artefacts tied to your real systems.
  • Workforce training that regulators recognise. Practitioner-led data protection training for the whole organisation, with role-specific depth for engineering, marketing, and support – the "organisational measure" that prevents the breaches technology can't.
  • Breach readiness. A 72-hour playbook and tabletop exercises so notification decisions are practised, not improvised.
  • Evidence on tap. Training completions, certificates, and policy attestations land in our platform's tamper-evident ledger – exportable the moment a customer, authority, or auditor asks you to demonstrate compliance.

The table below maps the key GDPR obligations to how we help you meet each one.

Key GDPR obligations

Principles and lawful processing

ArticleObligationHow we help
Art. 5Principles – lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and accountabilityWe assess every processing activity against the seven principles and – critically for Article 5(2) – build the documentation that lets you demonstrate compliance, not just assert it.
Art. 6Lawful bases for processingWe map each processing purpose to its lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) and document the legitimate-interests assessments where you rely on them.
Art. 7Conditions for consentWe audit your consent capture end to end – freely given, specific, informed, unambiguous, and as easy to withdraw as to give – and fix the dark patterns regulators now actively hunt.

Data subject rights

ArticleObligationHow we help
Art. 12–14Transparency and privacy noticesWe write layered, plain-language privacy notices covering every Article 13/14 disclosure, delivered at the point of collection rather than buried in a footer.
Art. 15–18Access, rectification, erasure, and restrictionWe design a rights-request workflow with identity verification, one-month clocks, and exception handling – then train the staff who will receive requests through whatever channel they arrive.
Art. 20–22Portability, objection, and automated decision-makingWe assess where profiling and automated decisions occur (including AI systems), implement the human-review safeguards Article 22 requires, and build portability exports that satisfy the regulation without over-engineering.

Accountability and governance

ArticleObligationHow we help
Art. 24–25Controller responsibility and data protection by design and by defaultWe embed privacy-by-design checkpoints into your product and project life cycle so new systems launch with minimisation and default protection built in – with the design decisions recorded as evidence.
Art. 28Processors and data processing agreementsWe inventory your processors, put compliant Article 28 terms in place, and run proportionate due diligence – so your supply chain doesn't become your breach.
Art. 30Records of processing activities (RoPA)We build and maintain your RoPA as a living register tied to real systems and data flows, not a one-off spreadsheet that expires the day it's finished.
Art. 35Data protection impact assessmentsWe provide DPIA templates and run the high-risk assessments with you – new technologies, large-scale monitoring, sensitive data, and AI use cases – with mitigations and residual risk documented.
Art. 37–39Data protection officerWe help you determine whether you must appoint a DPO, define the role's independence and reporting lines, and equip them with the training and awareness programme Article 39 makes part of the job.

Security and breach response

ArticleObligationHow we help
Art. 32Security of processingWe translate "appropriate technical and organisational measures" into a concrete control set – encryption, access control, resilience, testing – and the staff security training that regulators consistently treat as an organisational measure.
Art. 33–34Breach notification to authorities and individualsWe build your 72-hour breach playbook – detection, severity assessment, notification decision trees, and communication templates – and pressure-test it with tabletop exercises before a real incident does.

International transfers

ArticleObligationHow we help
Art. 44–49Transfers to third countriesWe map every cross-border flow (including cloud and SaaS), apply the right mechanism – adequacy, standard contractual clauses, or binding corporate rules – and complete transfer impact assessments where required.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.