Module 04 · GDPR Fundamentals
GDPR for the CISO
The General Data Protection Regulation reshaped how organizations worldwide handle personal data. This presentation covers what every CISO must know — from scope and principles to enforcement realities.
Scope & Applicability
Who does GDPR apply to?
GDPR has extraterritorial reach. It applies to any organization that processes personal data of individuals in the EEA, regardless of where the organization is based.
Material
Processing of personal data wholly or partly by automated means, or non-automated processing of data that forms part of a filing system.
Territorial
Establishment in the EEA — or offering goods/services to, or monitoring behavior of, individuals in the EEA. A .eu domain or EUR pricing can trigger applicability.
Personal Data
Any information relating to an identified or identifiable natural person: names, emails, IP addresses, cookie IDs, location data, biometric data, health records.
Core Principles
The seven pillars of lawful processing
Lawfulness
You need a legal basis. Six options: consent, contract, legal obligation, vital interests, public task, legitimate interests. Consent must be freely given, specific, informed, and unambiguous.
Purpose
Purpose limitation. Collect data for specified, explicit, and legitimate purposes. No repurposing without a compatible legal basis.
Minimization
Data minimization. Collect only what is adequate, relevant, and limited to what is necessary. If you don't need it, don't collect it.
Accuracy
Keep data accurate and up to date. Implement processes to rectify or erase inaccurate data without delay.
Storage
Storage limitation. Retain personal data only as long as necessary. Define and enforce retention schedules.
Security
Integrity and confidentiality. Implement appropriate technical and organizational measures — encryption, access controls, pseudonymization.
Accountability
Demonstrate compliance. Not enough to be compliant — you must be able to prove it. Maintain records of processing activities (ROPA).
Data Subject Rights
What individuals can demand
GDPR grants individuals powerful rights. Organizations must respond within 30 days (extendable by 60 days for complex requests).
Access
Right of Access (Art. 15)
Individuals can request a copy of all personal data you hold on them, along with processing purposes and recipients.
Erasure
Right to be Forgotten (Art. 17)
Delete personal data when consent is withdrawn, data is no longer necessary, or processing is unlawful. Not absolute — legal obligations may override.
Portability
Data Portability (Art. 20)
Provide data in a structured, commonly used, machine-readable format. Applies to data provided by the subject and processed by automated means.
Object
Right to Object (Art. 21)
Individuals can object to processing based on legitimate interests or direct marketing. For direct marketing, objection is absolute.
Also: right to rectification, right to restriction of processing, and rights related to automated decision-making and profiling.
DPIA Requirements
Data Protection Impact Assessments
A DPIA is mandatory when processing is likely to result in a high risk to individuals' rights and freedoms.
When
Triggers include: systematic profiling with significant effects, large-scale processing of special category data, systematic monitoring of public areas, new technologies, automated decision-making.
Contents
A DPIA must include: systematic description of processing, necessity and proportionality assessment, risk assessment to data subjects, measures to address risks.
Consult
Prior consultation with the DPA is required if the DPIA shows high residual risk that cannot be mitigated. This is rare but critical.
CISO Action
Build DPIAs into your project lifecycle. Every new system, vendor, or data flow involving personal data should trigger a DPIA screening. Automate where possible.
Breach Notification
The 72-hour rule
Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach — unless the breach is unlikely to result in risk to individuals.
To DPA
Within 72 hours: Nature of breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed. If you can't provide all information at once, provide it in phases.
To Subjects
Without undue delay (Art. 34): Required when breach is likely to result in high risk to rights and freedoms. Must describe the breach in clear, plain language.
Document
Document everything: Even breaches you decide not to notify. Maintain a breach register with facts, effects, and remedial actions. DPAs will audit this.
Critical
The 72-hour clock starts when you become aware — not when the breach occurred. Having a clear incident detection and escalation process directly impacts compliance.
Roles & Transfers
Controller vs Processor & cross-border data
Controller
Determines purposes and means
Bears primary accountability. Must ensure legal basis, honor data subject rights, conduct DPIAs, maintain ROPA, report breaches to DPA.
Processor
Processes on behalf of controller
Must only act on documented instructions. Requires a Data Processing Agreement (Art. 28) covering security measures, sub-processors, audit rights, and deletion obligations.
Cross-border transfers outside the EEA require a legal mechanism: adequacy decision, Standard Contractual Clauses (SCCs) with Transfer Impact Assessment, Binding Corporate Rules (BCRs), or Article 49 derogations as a last resort.
Post-Schrems II, the EU-US Data Privacy Framework (2023) provides a mechanism for US transfers — but its long-term stability remains uncertain.
Enforcement & Fines
Real consequences, real numbers
GDPR fines can reach up to 4% of global annual turnover or EUR 20 million, whichever is higher. Enforcement is accelerating.
| Organization | Fine | Reason |
|---|
| Meta (Ireland) | EUR 1.2 billion (2023) | Unlawful EU-US data transfers without adequate safeguards |
| Amazon (Luxembourg) | EUR 746 million (2021) | Non-compliant advertising targeting and consent practices |
| Meta / WhatsApp (Ireland) | EUR 225 million (2021) | Transparency failures in privacy notices |
| H&M (Germany) | EUR 35 million (2020) | Excessive employee surveillance and data collection |
| British Airways (UK) | GBP 20 million (2020) | Inadequate security measures leading to data breach |
Key Takeaway
GDPR enforcement is not theoretical. Supervisory authorities are well-funded, cross-border cooperation is improving, and fines are increasing year over year. The CISO's role is to ensure demonstrable compliance — documentation, technical controls, and a culture of privacy by design.