GDPR In Context

GDPR for Technology and SaaS Companies

Implementation guidance specific to technology companies and SaaS providers — vendor data processing agreements, multi-tenant data architecture, product privacy by design, consent management at scale, and the security questionnaire and due diligence requirements from European enterprise clients.

Explore Resource

GDPR for Financial Services

How GDPR interacts with financial services regulations — MiFID II, PSD2, EBA guidelines, and AML/KYC obligations — the tension between data minimisation and regulatory retention requirements, and the privacy governance structures that satisfy both financial regulators and data protection authorities.

Explore Resource

GDPR for Healthcare and Clinical Research

The heightened requirements for processing health data as special category data — explicit consent and Article 9(2) conditions for healthcare, the specific exemptions for scientific research and public health, clinical trial data governance, and the intersection of GDPR with the EU Clinical Trials Regulation.

Explore Resource

GDPR and AI — The Emerging Landscape

How GDPR applies to AI systems that process personal data — the Article 22 right not to be subject to solely automated decisions, transparency requirements for AI-driven profiling, the intersection with the EU AI Act, and the DPIAs required for high-risk AI deployments.

Explore Resource

GDPR Outside the EU — Third Country Compliance

How organisations in non-EU countries become subject to GDPR through Article 3’s extraterritorial provisions, the Article 27 EU representative requirement, and the practical steps for building GDPR compliance from outside the EU.

Explore Resource

GDPR and Indonesian Organisations

How GDPR’s extraterritorial reach affects Indonesian companies serving EU markets, how GDPR and UU PDP (Indonesia’s Personal Data Protection Law) compare across rights, principles, and enforcement, and how building a GDPR-compliant programme simultaneously advances UU PDP compliance.

Explore Resource

Building a Compliance-Ready Privacy Programme

A synthesis article bringing together the implementation guidance from Sections 1–5 into a unified privacy programme architecture — the governance structures, the evidence portfolio, the operational procedures, and the technology stack that together constitute a defensible, audit-ready privacy compliance programme.

Explore Resource

GDPR for Technology and SaaS Companies

GDPR for Financial Services

GDPR for Healthcare and Clinical Research

GDPR and AI — The Emerging Landscape

GDPR Outside the EU — Third Country Compliance

GDPR and Indonesian Organisations

Building a Compliance-Ready Privacy Programme

GDPR Foundations

What is GDPR and Why It Matters?

Key Definitions and Core Concepts

Territorial Scope — Who Must Comply

The Six Lawful Bases for Processing

Rights of Data Subjects

Roles: Controller, Processor, and Joint Controller

GDPR Requirements

Data Protection Principles

Lawfulness of Processing and Consent

Special Categories of Personal Data

Data Subject Rights: Obligations and Timelines

Privacy by Design and Default

Records of Processing Activities

Data Protection Impact Assessments

Data Protection Officers

GDPR Implementation Process

GDPR Implementation Roadmap

Data Mapping and Inventory

Lawful Basis Assessment and Documentation

Consent Management

Privacy Notices and Transparency

Data Subject Rights Procedures

Vendor and Processor Management

Cross-Border Data Transfers

GDPR Enforcement and Accountability

The Accountability Principle in Practice

Supervisory Authorities and the One-Stop-Shop Mechanism

Personal Data Breach Notification (72-Hour Rule)

GDPR Fines and Enforcement Actions

Codes of Conduct and Certification Schemes

GDPR Audits and Compliance Verification

Common Reasons GDPR Programmes Fail

GDPR Controls and Safeguards

Technical and Organisational Measures (TOMs)

Encryption, Pseudonymisation, and Anonymisation

Access Control and Identity Management

Data Retention, Deletion, and Minimisation

Security of Processing

ISO 27001 and GDPR — Mapping Controls

Building the GDPR Evidence Portfolio

GDPR In Context

GDPR for Technology and SaaS Companies

GDPR for Financial Services

GDPR for Healthcare and Clinical Research

GDPR and AI — The Emerging Landscape

GDPR Outside the EU — Third Country Compliance

GDPR and Indonesian Organisations

Building a Compliance-Ready Privacy Programme