General Data Protection Regulation (EU) 2016/679. The primary legal framework for data privacy in the EU/EEA.
To protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.
Empowering Individuals: Giving EU citizens control over their data.
Single Market Harmony: Standardizing data laws across Europe to foster digital business.
Strict Accountability: Mandatory documentation and heavy penalties for non-compliance.
Applies to “Personal Data”—any information relating to an identified or identifiable natural person. Requires the implementation of Technical and Organizational Measures (TOMs).
GDPR Compliance Lifecycle: Roles & Responsibilities
Data Subject (Individual): Receives clear, intelligible Privacy Notices. Provides explicit consent for sensitive data or marketing.
Client (Data Controller): Publishes GDPR-compliant Privacy/Cookie policies. Maintains a “Consent Ledger” to prove when and how consent was obtained.
Consulting Partner (Cyberyog): Drafts Art. 13/14 Privacy Notices. Sets up the Consent Management Platform (CMP) requirements and legal basis mapping.
Data Subject (Individual): Benefits from “Privacy by Design” (e.g., data minimization by default).
Client (Data Controller): Implements encryption (AES-256), multi-factor authentication, and pseudonymization. Signs Data Processing Agreements (DPA) with vendors.
Consulting Partner (Cyberyog): Conducts Security Gap Analysis. Audits third-party vendors (sub-processors) to ensure they meet EU standards.
Data Subject (Individual): Exercises rights: Right of Access, Rectification, Erasure (“Right to be Forgotten”), and Portability.
Client (Data Controller): Verifies the identity of the requester. Retrieves and provides data in a structured format within 30 days.
Consulting Partner (Cyberyog): Designs the DSAR workflow. Advises on exemptions (e.g., when data cannot be deleted due to financial record laws).
Data Subject (Individual): Is notified immediately if a breach is likely to result in a “high risk” to their rights (e.g., identity theft).
Client (Data Controller): Detects and logs breaches. Notifies the Lead Supervisory Authority (DPA) within 72 hours of becoming aware.
Consulting Partner (Cyberyog): Acts as the Incident Response Lead. Drafts the notification report and manages communication with Regulators.
Data Subject (Individual): Protected by mandatory Impact Assessments for high-risk processing (e.g., AI or large-scale monitoring).
Client (Data Controller): Maintains Records of Processing Activities (RoPA) under Art. 30. Appoints a DPO if required.
Consulting Partner (Cyberyog): Performs Data Protection Impact Assessments (DPIA). Provides “DPO-as-a-Service” and manages International Data Transfer risks (SCCs).
Tier 1: GDPR Essentials
Startups, Small SMEs (B2B focus)-
Companies with < 50 staff
-
3 - 4 Months
-
Records of Processing Activities (RoPA)
-
Privacy Policy
-
Basic TOMs
-
1 Staff Training Session
Tier 2: GDPR Enterprise & DPO
Mid-to-Large Orgs, HealthTech, FinTech-
High data volume or sensitive data
-
Ongoing (Annual Retainer)
-
plus Tier 1
-
Full DPIAs
-
Vendor Audits
-
External DPO Appointment
-
24/7 Breach Support