Section 4 of the GDPR outlines the requirement for applicable firms to appoint a data protection officer (DPO). All emphasis added unless otherwise stated. When a DPO must be appointed According to Article 37(1), data controllers and processors shall designate…

Most recent GDPR news stories highlighted the new 72-hour breach notification requirement and the potential €20,000,000 fines. Yes, those are provocative highlights that generate clicks and views, but they don’t provide much guidance for organizations, security compliance officers, and IT security…

Expanded territorial scope The GDPR represents a significantly increased territorial reach over its Data Protection Directive predecessor. Article 3 of the GDPR outlines that (all emphasis added unless otherwise stated): 1. This Regulation applies to the processing of personal data…

Administrative fines The GDPR imposes stiff fines on data controllers and processors for non-compliance. Determination Fines are administered by individual member state supervisory authorities (83.1). The following 10 criteria are to be used to determine the amount of the fine…

Article 4(1) defines “personal data” as follows (all emphasis added unless otherwise stated): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in…

Within the GDPR, consent constitutes one of six possible legal grounds for lawful personal data processing under Article 6(1). For most commercial controllers and processors, however, it likely represents the principal option. (All emphasis to GDPR text are added unless…

“Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. It is also an especially important concept to understand…