Back to Journal Privacy & Data Protection

GDPR Compliance - The Complete Guide for Organisations Processing EU Personal Data

Everything organisations need to know about GDPR compliance — the six principles, lawful bases, data subject rights, controller and processor obligations, DPIA requirements, breach notification, and building a sustainable compliance program.

Savadub GRC Team ·
GDPR Compliance - The Complete Guide for Organisations Processing EU Personal Data

GDPR Compliance: Building a Privacy Program That Satisfies Europe's Most Demanding Regulation

The General Data Protection Regulation (GDPR) has fundamentally changed how organisations must approach personal data — not just for European businesses, but for any organisation anywhere in the world that processes the personal data of individuals in the European Union or European Economic Area. Since its enforcement began in May 2018, supervisory authorities have issued billions of euros in fines. But beyond the penalties, GDPR represents a genuine shift in the relationship between organisations and the individuals whose data they process. This guide provides everything organisations need to build a robust, sustainable GDPR compliance programme.

The Six Data Protection Principles

GDPR Article 5 establishes six principles that govern all personal data processing:

Lawfulness, fairness, and transparency: Processing must have a valid legal basis, must be fair to data subjects, and must be transparent — individuals must be informed about how their data is used.

Purpose limitation: Data must be collected for specified, explicit, and legitimate purposes and not processed in ways incompatible with those purposes.

Data minimisation: Only data that is adequate, relevant, and limited to what is necessary for the specified purposes may be collected.

Accuracy: Personal data must be accurate and kept up to date. Inaccurate data must be erased or corrected without delay.

Storage limitation: Data must be kept in a form allowing identification of data subjects for no longer than necessary for the purposes. Retention schedules must be defined and enforced.

Integrity and confidentiality: Data must be processed with appropriate security — protecting against unauthorised access, accidental loss, destruction, or damage.

Accountability: The controller is responsible for and must be able to demonstrate compliance with all of the above. This seventh principle underpins the entire regulation — documentation, records, assessments, and governance are not optional extras but the mechanism by which accountability is demonstrated.

The Six Lawful Bases for Processing

GDPR Article 6 defines six lawful bases for processing personal data. Before processing any personal data, a controller must identify and document the lawful basis:

Consent (Art. 6(1)(a)): The data subject has given clear, specific, informed, and unambiguous consent. Consent must be freely given, and data subjects must be able to withdraw it as easily as they gave it. Pre-ticked boxes and bundled consent are not valid.

Contract (Art. 6(1)(b)): Processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering a contract.

Legal obligation (Art. 6(1)(c)): Processing is necessary to comply with a legal obligation of the controller.

Vital interests (Art. 6(1)(d)): Processing is necessary to protect the vital interests of the data subject or another natural person — a narrow basis applying primarily to life-threatening situations.

Public task (Art. 6(1)(e)): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Legitimate interests (Art. 6(1)(f)): Processing is necessary for the legitimate interests of the controller or a third party, unless those interests are overridden by the fundamental rights and interests of the data subject. Requires a Legitimate Interests Assessment (LIA).

Data Subject Rights: The Operational Challenge

GDPR grants eight rights to data subjects that organisations must operationally support:

Right to information (Arts. 13–14): Data subjects must be informed about processing at the time of collection or first contact — through privacy notices that meet GDPR's transparency requirements.

Right of access (Art. 15): Data subjects can request confirmation of whether their data is processed and access to that data, along with supplementary information about the processing. Response within one month.

Right to rectification (Art. 16): Data subjects can require correction of inaccurate or completion of incomplete data.

Right to erasure (Art. 17): The 'right to be forgotten' — data subjects can request deletion in defined circumstances (data no longer necessary, consent withdrawn, unlawful processing).

Right to restriction (Art. 18): Data subjects can request that processing is restricted — data is stored but not processed — during defined periods.

Right to data portability (Art. 20): Data subjects can request their data in a structured, commonly used, machine-readable format and have it transferred to another controller.

Right to object (Art. 21): Data subjects can object to processing based on legitimate interests or for direct marketing purposes.

Rights related to automated decision-making (Art. 22): Data subjects have the right not to be subject to solely automated decisions that produce significant effects, including profiling.

Building operational workflows for each of these rights — with documented procedures, response tracking, and within the one-month deadline — is one of the most operationally demanding aspects of GDPR compliance.

Data Protection Impact Assessments (DPIAs)

Article 35 requires DPIAs for processing activities that are likely to result in high risk to data subjects. Mandatory triggers include:

  • Systematic and extensive evaluation of personal aspects, including profiling, with significant effects
  • Processing of special category data or criminal conviction data at large scale
  • Systematic monitoring of a publicly accessible area at large scale
  • Large-scale processing of biometric data
  • Innovative technology use where the risk level is uncertain

A DPIA systematically describes the processing, assesses necessity and proportionality, identifies and assesses risks to data subjects, and identifies the measures to address those risks. Where a DPIA identifies a residual high risk that cannot be mitigated, the controller must consult the supervisory authority before processing.

Building a DPIA process into product development and new processing decisions — rather than conducting DPIAs retrospectively — is a GDPR accountability requirement that many organisations satisfy inadequately.

Breach Notification: The 72-Hour Clock

Article 33 requires controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it — where the breach is likely to result in risk to the rights and freedoms of individuals. Where notification is delayed beyond 72 hours, the notification must include reasons for the delay.

Article 34 requires controllers to notify data subjects without undue delay when a breach is likely to result in high risk to their rights and freedoms.

The 72-hour timeline is operationally demanding. Organisations must:

  • Have detection capabilities sufficient to identify a breach promptly
  • Have an incident response plan that includes a data breach response workflow
  • Know how to assess whether a breach meets the notification threshold
  • Know who is responsible for making the notification decision and preparing the notification
  • Have a relationship with their supervisory authority (or know which authority has jurisdiction)

Building and testing a data breach response procedure is one of the highest-priority GDPR compliance actions for any organisation processing significant volumes of personal data.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

  • Gap Assessment Report — prioritised findings with effort estimates and risk ratings
  • Compliance Roadmap — milestone-based plan from current state to certification or attestation
  • Risk Register — organisational risk register with treatment plans
  • Policy Pack — all required policies authored, reviewed, and approved
  • Technical Control Implementation Evidence — configurations, screenshots, and audit trails
  • Internal Audit Report — independent assessment of control effectiveness
  • Audit Evidence Repository — organised, auditor-ready evidence collection
  • Executive Summary Presentation — board and leadership-ready compliance status
  • Remediation Tracker — structured tracking of open findings and closure evidence
  • Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

  • Email: grc@savadub.com
  • Phone: +234 816 734 2201
  • WhatsApp: +234 903 234 8435
  • Website: www.savadub.com

Share this story
Keep Reading

You Might Also Like