GDPR, in operation. Not in a privacy notice.
Records of processing, lawful bases, data subject rights, DPIAs where required, processor agreements, transfer mechanisms. Plus the Article 32 controls that overlap heavily with SOC 2 and ISO 27001.
European Union regulation governing the processing of personal data of EU and EEA residents.
GDPR is European Union law governing the processing of personal data of EU and EEA residents, regardless of where the processor is based. Key obligations: lawful basis for each processing activity (Article 6), records of processing (Article 30), data subject rights (Articles 12 to 23), security of processing (Article 32), data protection impact assessments where high risk (Article 35), processor agreements (Article 28), and lawful international transfer mechanisms (Chapter V).
Who needs it
Any company that processes personal data of EU or EEA residents, even from outside the EU. SaaS with a single EU customer, a marketing list including EU contacts, or analytics that observe EU users all fall in scope. The territorial reach of Article 3 is broad. United Kingdom GDPR is a parallel regime post-Brexit with substantially identical requirements.
The HSD playbook for GDPR
HSD writes the Article 30 records of processing for both the controller and processor roles, the data protection impact assessments where the processing is high risk, the data subject request runbook, the data processing agreement template, the standard contractual clauses for international transfers, and the breach notification process. We implement Article 32 technical and organizational measures, which overlap heavily with SOC 2 Security and ISO 27001 Annex A.
Timeline
Weeks 1 to 3
Data mapping and Article 30 records
Inventory of processing activities, lawful bases, retention, transfers; controller and processor records
Weeks 2 to 4
DPA template and processor agreements
Customer-facing DPA, processor agreements with subprocessors, SCCs for non-adequate countries
Weeks 3 to 7
Article 32 controls
Pseudonymization where applicable, encryption, integrity, confidentiality, availability, regular testing
Weeks 5 to 7
Data subject rights process
Request intake, identity verification, response within one month, refusal grounds documented
Ongoing
DPIAs where required
Article 35 DPIA for high-risk processing, especially profiling, large-scale special categories, systematic monitoring
Week 8
Breach notification readiness
Seventy-two hour notification clock to supervisory authority; notification to data subjects without undue delay where high risk
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software platforms with GDPR support | USD 6,000 to 20,000 per year | Most compliance platforms cover GDPR; depth varies |
| DPO services (where required) | USD 25,000 to 80,000 per year | Article 37 DPO required for some processing types; outsourced DPOs are common |
| Privacy counsel for high-risk processing | Variable | DPIAs for novel processing typically require privacy counsel review |
| HSD bundled program | Scoped per program | Article 30, Article 32, DPA, DSR runbook in one engagement |
What auditors check
Article 30 records of processing
Maintained, current, addressing all controller and processor activities; supervisory authorities request these first in any inquiry.
Lawful basis for each processing activity
Identified before processing begins. Consent has stricter requirements than the other five bases; document the choice.
Data Processing Agreements with all processors
Article 28 contracts signed with every processor and subprocessor; current versions retained; sub-processor list maintained.
Data subject rights process
Documented intake, response within one month (extendable to three months for complex requests), refusal grounds when applicable.
International transfer mechanism
Adequacy decision, SCCs, BCRs, or Article 49 derogation for every transfer to a third country; transfer impact assessments where required.
Breach notification capability
Process to notify supervisory authority within seventy-two hours of awareness; capability to notify data subjects when high risk to rights and freedoms.
Common pitfalls
Treating GDPR as a privacy notice exercise
GDPR is operational. The privacy notice is a small artifact. Article 30 records, Article 32 controls, and the data subject rights runbook are where supervisory authorities focus.
Missing or incomplete records of processing
Article 30 records are the most-requested artifact in inquiries and complaints. Missing or stale records is a high-visibility gap.
Processor without DPA
Using a processor without a current Article 28 DPA is a controller-side breach. Inventory every processor, retain a current DPA for each.
Inadequate transfer mechanism
Post-Schrems II, transfers to the United States and other non-adequate countries require Standard Contractual Clauses plus a transfer impact assessment. Old DPAs without the 2021 SCCs are a finding.
Late breach notification
Seventy-two hours starts at awareness. Discovery on Friday with a Monday notification ships outside the window.
FAQ
Does GDPR apply to companies outside the EU?+
Do I need a Data Protection Officer?+
What is a DPIA and when is it required?+
What is a Standard Contractual Clause?+
Are GDPR penalties really up to four percent of revenue?+
Does ISO 27001 satisfy GDPR?+
Want GDPR scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when GDPR should wait or when it should lead.