GDPR Update

Compliance refresh.

Overview

GDPR compliance is treating personal data with deliberate care, not papering the file cabinet. Lawful basis per data category, data minimisation by design, working subject-rights workflows, public sub-processor list, 72-hour breach notification. Each piece exists because regulators check; each piece works because customers depend on it.

• Lawful basis review. Each data category has a documented lawful basis. Auditable processing comes from this.
• Data minimisation. Collect only what is needed. Reduces breach exposure structurally.
• Subject rights. Access, rectification, deletion, portability. The workflows that turn rights into actually-served requests.
• Sub-processor list plus 72-hour breach notification. Public list of sub-processors with DPAs; documented breach-notification process matches the regulatory clock.

The approach

Three habits make GDPR work in practice: data mapping first so the team knows what exists where, technical controls second tied to the lawful-basis review, ongoing annual review so the posture does not drift.

• Data mapping. What personal data exists, where it lives, how it flows. The starting artefact.
• Lawful basis per category. Consent, contract, or legitimate interest documented per category. Auditable processing.
• Subject-request workflow. Self-service portal plus human review. Customer rights served at speed.
• Sub-processor due diligence plus annual review. DPA per sub-processor; compliance posture reviewed yearly to catch drift.

Why this compounds

Each annual review tightens the posture. The team’s compliance fluency deepens; documentation stays current; subject-request response times improve as the workflows mature.

• Breach exposure reduced. Data minimisation reduces what can be breached. Real protection, not paperwork.
• Subject requests faster. Mature workflow produces fast responses. Customer trust preserved.
• Audit readiness. Annual review keeps documentation current. SOC 2 and ISO 27001 audits go faster.
• Year-one investment, year-two habit. First review is heavy lift. By the third, the discipline is part of operations.