Regulation guide

GDPR compliance

GDPR compliance is the baseline for handling personal data in the EU. This guide walks through the core GDPR requirements, the rights you must honour, and the new questions raised where AI and privacy meet.

The basics

The core GDPR requirements

AI and privacy: the new frontier

As organisations deploy machine learning, AI and privacy collide: automated decision-making, training data and profiling all raise fresh GDPR questions that sit alongside the EU AI Act.

Lawful, fair, transparent

GDPR requirements start with a lawful basis for processing and clear information for the people whose data you hold.

Data subject rights

Access, rectification, erasure, portability and objection are rights you must be able to honour to claim GDPR compliance.

Accountability

You must be able to demonstrate compliance โ€” records of processing, DPIAs where needed, and appropriate security.

What GDPR compliance requires

Records of processing

Document what data you process, why and on what basis.

Breach notification

Report qualifying breaches within 72 hours where feasible.

DPIAs

Assess high-risk processing before you start.

Security of processing

Appropriate technical and organisational measures.

Where to next

Tool and connect

GRC tooling

Manage records, DPIAs and evidence in one place.

ISO 27701

Extend your ISMS to privacy information management.

EU AI Act

Where AI processing meets data protection.

GDPR FAQs

What are the GDPR requirements?

A lawful basis for processing, transparency, honouring data subject rights, security of processing and demonstrable accountability.

When must a breach be notified?

Qualifying personal-data breaches must be reported to the supervisory authority within 72 hours where feasible.

How do AI and privacy interact?

AI systems that process personal data must still satisfy GDPR, including rules on automated decision-making and profiling.

Keep GDPR compliance defensible.

Get the refresher in the GDPR webinar and tool it with open-source GRC.