GDPR Readiness,

Applies the moment you process personal data of anyone in the EU or UK — regardless of where your company is based or where your servers live.

Readiness guide

01

Background

What GDPR actually is

+

The General Data Protection Regulation — Regulation (EU) 2016/679 — is European Union law that took effect in May 2018. The UK operates a legally distinct but substantially identical version, the UK GDPR, plus the Data Protection Act 2018. Both regulations apply extraterritorially: a company anywhere in the world that processes the personal data of EU or UK residents is in scope.

Key articles a readiness engagement anchors to:

Art. 5 Principles of processing
Art. 6 Lawful basis
Art. 25 Privacy by design
Art. 30 Records of processing (ROPA)
Art. 32 Security of processing
Arts. 33–34 Breach notification
Art. 35 DPIA (high-risk)
Arts. 44–49 International transfers

Sources: Regulation (EU) 2016/679, European Data Protection Board.

02

Audience

Who needs to comply

+

The test is the data, not the company's location. If any of the following apply, GDPR applies:

  • The company has an establishment in the EU or UK (office, subsidiary, ongoing activity).
  • The company offers goods or services to EU or UK residents — including free services.
  • The company monitors the behavior of EU or UK residents (analytics, behavioral advertising, profiling).

Controller

Decides why and how personal data is processed. A SaaS is a controller with respect to its own employees, leads, and customers.

Processor

Processes data on behalf of a controller. A SaaS hosting customer data is usually a processor with respect to that data.

A B2B company that sells to EU enterprises but claims the customer is the only data subject is often wrong — customer employees, users of the customer's service, and customer support contacts are all data subjects.

03

Scope

What readiness means

+

GDPR has no certification program issued by the regulator. The EDPB has endorsed certain certification schemes (e.g., Europrivacy), but they are optional. Readiness here means:

  • A complete, current Record of Processing Activities (Article 30).
  • A documented lawful basis for every processing activity.
  • Data subject rights procedures (access, rectification, erasure, portability, objection) executable within the one-month statutory window.
  • A Data Protection Impact Assessment for any high-risk processing.
  • Article 32 technical and organizational measures — the security controls.
  • A 72-hour breach-notification capability.
  • Lawful international transfer mechanisms (SCCs, adequacy, BCRs) for any transfer outside the EU/UK.
  • A public privacy notice meeting Article 13/14 requirements.
  • Data Processing Agreements with every processor (vendor) under Article 28.

Data Protection Officer (DPO): required under Article 37 when core activities involve large-scale systematic monitoring or processing of special-category data. Most mid-market SaaS companies appoint a DPO or DPO-equivalent even when not strictly required, because enterprise customers ask for one.

04

Mapping

How CloudCheck 360° maps to GDPR

+

Article 32 is the direct technical bridge. It requires "appropriate technical and organisational measures" including pseudonymization, encryption, integrity, availability, and resilience of processing systems, and regular testing of effectiveness. The CC360 categories cover every element:

Article Requirement CC360°
32(1)(a)Pseudonymization & encryption§3 Data protection
32(1)(b)Integrity, availability, resilience§3 · §4 · §6
32(1)(c)Restoration after incident§6 Incident response
32(1)(d)Regular testing of effectivenessCC360 engagement · §4 · §5
33–34Breach detection & notification§5 Logging · §6 IR (72-hour clock)
30Records of processing (ROPA)§7 Compliance posture

Beyond Article 32, the non-technical obligations — ROPA, DPIAs, privacy notices, DPAs, data-subject-rights procedures — are documentation and process work that sit alongside the CC360 pass in the compliance-posture category (§7).

05

Engagement

How an engagement runs

+

Typically 8 to 14 weeks.

Weeks 1–2

Data mapping

Identify every system, service, and vendor that processes personal data of EU or UK residents. Document data flows, categories of data subjects, and categories of personal data. Output: ROPA v1.

Weeks 2–5

Legal basis & transfer analysis

For each processing activity in the ROPA, document the lawful basis. For transfers outside EU/UK, confirm adequacy or put SCCs in place. Post-Schrems II, transfer impact assessments are expected for US transfers under SCCs.

Weeks 4–9

Article 32 remediation

CC360 findings mapped to Article 32 requirements. Technical gaps remediated.

Weeks 6–12

Procedures & documentation

Data subject rights procedure, DPIA template, breach-notification runbook, DPO-equivalent designated, privacy notice rewritten to Article 13/14 compliance. DPAs renegotiated or freshly signed with every processor.

Weeks 12–14

Operational rehearsal

Tabletop exercise of a data-subject-access request and a breach-notification scenario.

06

Patterns

Common gaps we see

+

ROPA is missing or stale.

Article 30 is the record-keeping article. Small organizations under 250 employees have a partial exemption, but the exemption has several carve-outs (regular processing, risk to rights, special-category data) that usually apply to a SaaS. Most companies need a full ROPA regardless.

International transfers on expired SCCs.

The 2021 SCCs replaced the 2010 version; pre-2021 SCCs are no longer valid. Many companies still have DPAs referencing the old SCCs. Refresh to current SCCs and document a transfer impact assessment where the destination country does not have an adequacy decision.

Data subject rights have no operating procedure.

The privacy policy promises the right of erasure; nobody on the team knows how to execute it. Under the one-month statutory response window, this is a real compliance failure the moment a request arrives.

Breach notification plan is missing the 72-hour clock.

The written plan mentions notification but does not start a clock at detection. The 72-hour clock runs from awareness, not from decision; the runbook has to drive fast triage.

07

FAQ

Questions we get asked

+
We're US-only. Do we need to care? +

If you have no EU or UK customers, no EU or UK traffic, and no EU or UK employees, probably not. If any of those three exist, yes.

Does the EU-US Data Privacy Framework cover transfers? +

The EU-US Data Privacy Framework came into effect July 2023 and provides adequacy for transfers to DPF-certified US organizations. It is under legal challenge (the "Schrems III" complaints). Relying solely on DPF without a fallback SCC + TIA is risky.

What are the penalties? +

Up to €20M or 4% of worldwide annual turnover, whichever is higher, for the most serious infringements. Tiers below that for other violations. Enforcement varies widely by supervisory authority.

Do we need a DPO? +

Required if core activities involve regular and systematic monitoring on a large scale, or processing of special-category data on a large scale. Many SaaS companies appoint a DPO even when not strictly required because enterprise customers expect one. A DPO can be internal or an outsourced role.

What about CCPA / CPRA? +

California's privacy law is similar in structure but different in detail. Readiness work done for GDPR is often 70–80% reusable for CCPA. We prepare for both when the client operates in both jurisdictions.

Can GDPR and HIPAA both apply? +

Yes, and the overlaps are non-trivial. GDPR applies by data-subject nationality; HIPAA applies by the nature of the data and the entity. A digital-health platform serving EU users needs both.

Primary sources

Regulation (EU) 2016/679, European Data Protection Board. See also the CloudCheck 360° methodology and related frameworks SOC 2 and HIPAA.

Start with a free Cloud Health Check.

A scoped-down CloudCheck 360° of your current environment. Delivered in five business days, no commitment.

Book a Health Check See engagement packages