Overview

This article establishes that the controller is responsible for ensuring GDPR compliance by implementing appropriate technical and organizational measures. These measures must be regularly reviewed and updated according to the nature, scope, context, and risks of processing activities. Approved codes of conduct or certification mechanisms may also be used to demonstrate compliance.


Key Principles

  • Accountability: Controllers must take responsibility for compliance with GDPR obligations.

  • Technical and Organizational Measures: Implement appropriate safeguards to protect personal data.

  • Regular Review: Measures should be updated based on evolving processing activities and associated risks.

  • Demonstrable Compliance: Use codes of conduct or certifications as evidence of compliance efforts.

Organizational Applicability

This article applies to all organizations acting as controllers within the EU:

  • Entities that determine the purposes and means of processing personal data.

  • Public and private sector organizations managing personal data of EU/EEA residents.

  • Teams responsible for governance, IT systems, compliance, and risk management.

Implementation Requirements

  • Implement technical and organizational controls appropriate to processing activities.

  • Regularly review and update measures based on risk assessments and changes in processing.

  • Document compliance efforts and use certifications or approved codes of conduct where applicable.

  • Ensure all staff are aware of responsibilities and trained in GDPR compliance requirements.

Implementation Guidance

  • Conduct risk assessments to determine the required measures for data protection.

  • Use encryption, access controls, logging, and data minimization practices.

  • Maintain internal documentation demonstrating compliance with GDPR obligations.

  • Monitor changes in laws, technologies, and processing activities to update measures accordingly.

Periodic Review

  • Frequency: Annually or when significant changes occur in processing activities or risk environment.

  • Responsible Role: Data Protection Officer (DPO) or Compliance Team.

  • Outcome: Confirm that all technical and organizational measures remain effective and adequate for GDPR compliance.

Non-Compliance Risks

  • Fines: Up to €20 million or 4% of global annual turnover.

  • Legal Exposure: Enforcement actions, complaints, or liability for breaches.

  • Reputational Damage: Loss of trust from customers, regulators, and partners.

  • Operational Risk: Inadequate controls can lead to data breaches or non-compliance issues.