The document outlines the principles and requirements for processing personal data under GDPR, emphasizing fair, lawful, and transparent practices. It discusses the roles of data controllers and processors, the necessity of defining the purpose for data processing, and the legal bases for such processing. It also highlights security measures and the importance of maintaining a registry of data processing activities to ensure ongoing compliance.

1. with
Judy Jordaan

2. 2.
Collected for
specified, explicit
and legitimate
purpose
3.
Adequate,
relevant and
limited to what
is necessary
4.
Accurate and
up-to-date
5.
Identifiable only
for as long as
necessary
6.
Secure
1.
Fairly, lawfully
and
transparently
processed
GDPR Personal
Data Principles

3. METHODOLOGY
GDPR GAP ANALYSIS

4. Personal data
Do you process personal data?
 Data is personal if it relates to an identified or
identifiable individual
- For example: name, ID/BSN numbers, physical addresses, online
identifiers (like IP addresses or cookies)
 One-man-owned entities (ZZPers) are viewed as
individuals
 Any sensitive personal data?

5. Mapping the data flow
Examples of where personal data may come from?
Websites Newsletters Memberships
ABC B.V.
HR

6. Processing the data
What do you do with the data?
 ‘Process’ means
collect, record, organise, structure, store,
adapt, alter, retrieve, use, restrict, disclose,
erase, destroy.
 What type of processing organisation are you?
‘Controller’ determines the purpose of the data and
the way in gets processed
 ‘Processor’ only processes on instruction of the
Controller

7. Purpose of Processing
Why are you processing the personal data?
 Defining the purpose is the cornerstone to
establishing whether you are respecting GDPR
principles:
 Collecting more data than is needed to achieve your purpose
= Breach of data minimisation principle
 Storing data for longer than you need to achieve your purpose
= Breach of storage limitation principle

8. Legal basis for Processing
Are you allowed to process the data?
 Consent
 Performance of a contract
 Legitimate interest of Controller
 Legal obligation
 Protection of vital interests
 Public interest

9. Outsourced Data Processing
Any third party Processors?
 If so, are written agreements in place?
 Any international transfer of data?
- If yes, adequate protection levels need to be met by
ensuring transfer is per Privacy Shield Framework or EU
Standard Contractual Clauses

10. Security of data
What safety measures are in place?
 Technical & Organisational security
measures taken?
 Data Breach Response Plan in place?
 Third party processor capable of
implementing?

11. Document findings
Remedial measures required?
 REGISTRY of Data Processing Activities
- Cornerstone of your Data Protection Strategy
- Action items demonstrate your continual working
towards compliance
- Reviewed regularly and is constant work in progress
COMPLIANT