EU General Data Protection Regulation Readiness.

Source: GDPR full text (EUR-Lex) · European Data Protection Board (EDPB) guidelines · ICO (UK) Guide to GDPR

Three concrete outputs:

• Output A

  Records of Processing Activities (RoPA)

  Documented inventory of processing activities — what data, what purpose, what lawful basis, what retention, what sharing. Article 30 requires this; DPAs ask for it during investigations.

• Output B

  Data subject rights apparatus

  Workflows for handling Article 15-22 rights: access requests, rectification, erasure (“right to be forgotten”), restriction, portability, objection, automated decision-making rights. SLA: 30 days from request (extendable to 90 with notice).

• Output C

  Breach notification capability

  Decision tree, notification workflow, and rehearsed procedure for the 72-hour DPA notification window (Article 33) and individual notification when high risk to rights and freedoms (Article 34).

Additional considerations: Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35), Data Protection Officer (DPO) designation when required (Article 37), Standard Contractual Clauses (SCCs) for transfers to non-adequate countries (Articles 46-49 + Schrems II implications).

GDPR is primarily a data governance framework, not a technical security framework. Article 32 (Security of Processing) is where technical safeguards are required — these map to CC360° categories. Most other articles are policy, process, and legal work outside CC360°.

GDPR readiness is roughly 30% technical (CC360° territory) and 70% policy + legal + operational. Cloud Upload covers the technical 30% directly and partners with privacy counsel for the policy/legal layer.

A GDPR readiness engagement is typically 8 to 12 weeks for the technical + operational scope. Legal counsel runs parallel for policy + cross-border transfer work.

1. Weeks 1-2

   Data flow mapping

   Identify all systems holding EU resident personal data. Map data flows in/out/across systems. Identify processors and sub-processors. Establish RoPA structure.

2. Weeks 2-6

   Article 32 technical safeguards + DSR mechanisms

   CloudCheck 360° pass surfaces technical gaps in encryption, access control, logging. Data subject rights mechanisms built or enhanced (access export, deletion, rectification workflows). Data minimization review per processing activity.

3. Weeks 4-10

   Breach notification + DPIA

   Breach detection, classification, and 72-hour DPA notification workflow established. DPIA template + first DPIA executed for one high-risk processing activity. Tabletop exercise of breach notification timeline.

4. Weeks 8-12

   Documentation + handoff to legal

   RoPA finalized. Privacy notices reviewed for Article 13/14 completeness. SCCs status documented for cross-border transfers. Legal counsel handoff for DPO designation, lawful basis review, and any cross-border transfer impact assessment requirements.

Annual review cycle: RoPA refresh, DPIA refresh, DSR workflow audit, training delivery to data handlers.

• Records of Processing Activities (RoPA) absent or stale.

  Article 30 requires controllers and processors to maintain RoPAs. Most companies either don't have one or have one from initial GDPR compliance work in 2018 that was never updated. The fix is making RoPA review quarterly with explicit ownership.

• Data subject rights workflow is “we email engineering.”

  Articles 15-22 grant specific rights with 30-day SLAs. Most companies handle requests ad-hoc with no documented workflow. The fix is a structured request intake (typically a privacy email, intake form, or in-app surface) with case management and SLA tracking.

• Data deletion that is not actually deletion.

  Article 17 (right to erasure) is one of the most-requested rights and one of the hardest to implement. Most platforms “delete” by setting a flag rather than removing data. Backups, log files, analytics platforms, third-party processors — full deletion is genuinely hard. The fix is documented deletion procedure including backup expiry and processor-side verification.

• Cross-border transfer mechanism missing or expired.

  Post-Schrems II (2020), transfers from EU to US require updated SCCs and a transfer impact assessment. Many companies signed older SCC versions and never updated. The fix is reviewing every processor agreement for current SCC version + documented TIA.

• Breach notification timeline unrealistic.

  Article 33 requires DPA notification within 72 hours of awareness. Most incident response runbooks do not contemplate the privacy-counsel involvement, draft notification to DPA, and decision on Article 34 individual notification within that window. The fix is integrating privacy counsel into IR runbook with templated notification drafts.

• Do we need an EU representative or DPO?

  EU Representative (Article 27) is required for non-EU companies offering goods or services to EU residents at scale. DPO (Article 37) is required when processing involves regular and systematic monitoring of data subjects on a large scale, or large-scale processing of special category data. Many SaaS companies need a representative; fewer need a DPO. Confirm with privacy counsel.

• What is “lawful basis” and which one applies?

  Article 6 enumerates six lawful bases: consent, contract, legal obligation, vital interests, public task, legitimate interests. Most B2B SaaS processes data under “contract” (necessary to provide the service) or “legitimate interests.” Marketing email lists typically need “consent.” Pick lawful basis per processing activity and document it in your RoPA.

• Cookie consent — do we need it?

  Yes if you operate analytics or marketing cookies for EU visitors. The ePrivacy Directive (separate from GDPR but related) requires consent for non-essential cookies. Implement a compliant Consent Management Platform (CMP) — there are many vendors; this is a productized solve, not custom work.

• What about UK GDPR after Brexit?

  UK GDPR is effectively identical to EU GDPR for most purposes. The UK-EU adequacy decision means data can flow freely between UK and EU; it expires June 2025 unless renewed. Plan SCCs as a fallback in case adequacy lapses.

• Can we use Stripe / Mailchimp / Slack / etc. with EU data?

  Yes if they have valid SCCs (most major US SaaS providers do) and you sign a Data Processing Agreement (DPA) with them. Maintain a list of sub-processors and notify users of changes. Verify each processor's current SCC version annually.

• Schrems II and US transfers — what changed?

  Schrems II (CJEU, July 2020) invalidated the EU-US Privacy Shield. SCCs remain valid but now require Transfer Impact Assessment (TIA) per transfer. The EU-US Data Privacy Framework (DPF, July 2023) replaces Privacy Shield for participating US organizations — verify whether your US processors are DPF-certified.