16 Essential GDPR Questions to Ask

Updated November 23rd, 2023

Share this article

The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union in 2018 to protect the privacy and personal data of EU citizens.

The GDPR remains at the forefront of corporate compliance agendas.

However, understanding GDPR is not just a task for legal and IT departments; it’s a fundamental part of corporate responsibility that needs to be understood at various organizational levels.

Modern data problems require modern solutions - Try Atlan, the data catalog of choice for forward-looking data teams! 👉 Book your demo today

In this article, we will explore:

What is GDPR?
16 questions related to GDPR that you must ask your legal team

Ready? Let’s dive in!

GDPR: A quick sneak peek!
GDPR questions to ask your legal teams
Summarizing it all together
Related reads

The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union in 2018 to protect the privacy and personal data of EU citizens. It also addresses the export of personal data outside the EU.

GDPR aims to give control back to citizens over their personal data while standardizing the regulatory environment for international business. It applies to any organization operating within the EU, as well as any organizations outside of the EU that offer goods or services to customers or businesses in the EU.

Non-compliance can lead to hefty fines, thereby emphasizing its role in legal adherence. Beyond legal ramifications, GDPR plays a vital role in fortifying data integrity and cybersecurity measures, thereby safeguarding a company’s reputation.

Compliance with GDPR also enhances customer trust, a pivotal factor in both B2C and B2B relationships, giving compliant companies a competitive advantage in the marketplace. Additionally, it serves as a catalyst for improved data management and governance by compelling businesses to thoroughly understand the data they hold, its storage, and access protocols.

Now, let’s explore the essential questions of GDPR in detail.

As a data expert, here are 16 questions you should ask your legal and compliance teams, so you know what the right approach is here:

What documentation do we need to prove that we’re GDPR compliant?
What responsibilities do companies have under the GDPR?
What are the penalties for non-compliance with GDPR?
What is a GDPR data processing operation?
How would you conduct a data protection impact assessment (DPIA)?
Have you witnessed data breaches before, and how have you resolved them?
What are the data requirements for GDPR?
Can you outline the fundamental principles of GDPR and how they relate to data protection?
What steps would you take to ensure that personal data is processed in a manner that ensures appropriate security?
Imagine we’re affected by a data breach. Can you explain the process step-by-step to handle it?
What strategies should we employ for data anonymization and pseudonymization?
How would you advise our organization on balancing legitimate business interests against data protection concerns?
What role does data classification play in data governance, and how do you approach it?
How would you go about educating and training staff on data protection best practices and responsibilities?
How would you manage cross-border data transfers in compliance with GDPR?
How would you handle data subject access requests (DSARs) to balance the rights of the individual against the resources required to fulfill these requests?

Let’s look at each of the questions in detail:

As a legal team, we would emphasize the necessity for comprehensive documentation that demonstrates compliance across the organization. Some of the key documents required include:

Data protection policy
Privacy notices for different stakeholders (e.g., customers, employees)
Data processing agreements with third-party vendors
Records of processing activities (RoPAs)
Data protection impact assessments (DPIAs)
Incident response plans and records of data breaches
Employee training records
Consent records for data collection

Your legal teams are also likely to mention the need for regular audits and assessments to ensure ongoing compliance, as well as documentation of these audits.

A lawyer familiar with GDPR and personal data protection guidelines would explain that under GDPR, companies are obligated to:

Obtain explicit consent for data collection and processing
Secure personal data through encryption and other cybersecurity measures
Conduct regular audits and risk assessments, like DPIAs
Maintain records of all data processing activities
Comply with data subject access requests (DSARs)
Report data breaches within 72 hours to the regulatory authority and notify affected data subjects without undue delay
Appoint a data protection officer (DPO) if they engage in large-scale processing of sensitive data or systematic monitoring of data subjects
Ensure third-party vendors are compliant
Facilitate data portability and the right to be forgotten
Train staff and create awareness about data protection

The penalties associated with GDPR non-compliance, which can be severe. The fines can go up to €20 million or 4% of the company’s annual global turnover, whichever is higher. They might also advise you that regulatory bodies can impose additional penalties, including data processing bans, and that non-compliance could also result in reputational damage.

Any operation performed on personal data, whether automated or manual, constitutes data processing under GDPR. This could include the collection, recording, organization, storage, modification, retrieval, consultation, use, transmission, dissemination, or even erasure of data.

They would most likely stress the importance of understanding these operations, as they form the basis of GDPR compliance. Any operation that involves personal data needs to be documented, justified, and possibly subject to a data protection impact assessment (DPIA).

5. How would you conduct a data protection impact assessment (DPIA)?

As a legal team we would involve the following steps in conducting a DPIA:

Identify the need: Determine whether a DPIA is required for the specific data processing activity.
Describe the processing: Clearly outline what the processing activity involves, its objectives, and the data that will be used.
Consult stakeholders: Consult with internal and external stakeholders, including data subjects, where applicable.
Assess necessity and proportionality: Evaluate if the data processing is necessary for the intended purpose and if it is being done in the least intrusive manner.
Identify risks: Conduct a risk assessment to identify the potential risks to data subjects.
Evaluate risks: Assess the severity and likelihood of the risks identified.
Mitigate risks: Develop strategies to mitigate these risks and ensure compliance.
Document findings: Create a comprehensive report of the DPIA findings, including all steps taken to mitigate risks.
Implement changes: Update data protection measures and policies according to the findings.
Review and update: Periodically review the DPIA to ensure it remains current and relevant.

Legal teams would insist on the importance of involving key stakeholders, including themselves, IT departments, and business units, in conducting a DPIA.

6. Have you witnessed data breaches before, and how have you resolved them?

Legal teams that have handled data breaches in the past are great candidates to give real-world examples. They would have an understanding of the technical aspects, legal requirements, and communication strategies essential for managing a data breach.

Example answer:

In our previous role, we experienced a data breach where unauthorized access was gained to our customer database. Immediate actions included isolating the affected systems to prevent further breaches. We then initiated our incident response protocol, which involved forming an incident response team comprising IT, legal, and PR experts.

A forensic analysis was conducted to understand the extent and nature of the breach. We notified the affected stakeholders and the relevant authorities, as GDPR mandates, within 72 hours. Remediation measures were taken to close the security loophole and to fortify our data security measures. Staff were re-trained to prevent future occurrences, and we conducted a post-mortem to update our incident response plan.

GDPR is extensive in its data requirements.

First and foremost, it applies to personal data, which is any information relating to an identifiable individual. Organizations must obtain explicit consent from data subjects before collecting and processing their data, unless another lawful basis for processing exists.

Data minimization is also key; organizations should only collect what is absolutely necessary for the purpose.

Organizations also have obligations related to facilitating data subjects’ rights, such as the right to access, correct, or delete their own data.

As a legal team, we would emphasize the following GDPR principles, including:

Lawfulness, fairness, and transparency: This means you must have a legal ground for processing data and must be open with data subjects about how their data will be used.
Purpose limitation: Data should only be collected for specified, explicit purposes and not used in a way incompatible with those purposes.
Data minimization: Only the data that is absolutely necessary should be collected.
Accuracy: Data should be kept up-to-date, and inaccurate data should be rectified or deleted.
Storage limitation: Data should not be kept for longer than necessary for its intended purpose.
Integrity and confidentiality: Data should be processed securely, protecting against unauthorized or illegal processing, accidental loss, or destruction.

These principles should guide every decision we make in the data lifecycle, from collection to processing to storage to deletion.

9. What steps would you take to ensure that personal data is processed in a manner that ensures appropriate security?

As a legal team, we would have a multi-layered approach to security that goes beyond just technology to include policies, procedures, and training.

Example:

To ensure appropriate security, we would implement a multi-layered security strategy. This includes strong encryption techniques for data storage and transmission, robust access controls to limit who can access data, and regular security audits.

Beyond technology, we would also develop and enforce policies outlining the acceptable use of data, conduct regular staff training, and conduct data protection impact assessments (DPIAs) before launching new projects that involve personal data. Moreover, we’d establish a stringent incident response plan to handle any breaches effectively.

10. Imagine we’re affected by a data breach. Can you explain the process step-by-step to handle it?

As a legal team, we can adopt the following structured approach:

Immediate containment: First, we isolate the affected systems to stop further unauthorized activity.
Incident team formation: An incident response team involving IT, legal, and PR should be formed immediately.
Assessment and documentation: Conduct a forensic analysis to assess the extent of the breach. Document everything for both internal investigation and legal obligations.
Legal obligations: Notify the relevant data protection authorities (like the ICO in the UK) within 72 hours of discovering the breach. If required, also inform the affected data subjects.
Communication: Internal communication needs to be clear to ensure all staff are aware of the breach and the immediate steps they need to take. External communication should be managed carefully to protect the organization’s reputation.
Remediation: Close the security gaps that allowed the breach and fortify against future incidents.
Review and update: Conduct a post-mortem to identify lessons learned and update the incident response plan accordingly.
Ongoing monitoring: Continuously monitor systems for signs of vulnerabilities to prevent future breaches.

By examining these points, you can get a comprehensive understanding of the what steps you need to take in the event of a data breach.

11. What strategies should we employ for data anonymization and pseudonymization?

For data anonymization, we’d use techniques that irreversibly transform personal data in such a way that a data subject can no longer be identified.

Strategies can range from simple techniques like data masking to complex ones like cryptographic hashing. The objective is to ensure the data, once anonymized, cannot be reversed to reveal the original personal information.

For pseudonymization, we would replace private identifiers with fake identifiers, or ‘pseudonyms,’ so that the data can no longer be attributed to a specific data subject without additional information.

This is often reversible, unlike anonymization, and is useful in scenarios where the data still needs to be matched with its source at a later stage. For example, we might use tokenization techniques to protect credit card numbers in a transaction database.

Both of these strategies are pivotal in reducing the risk of data breaches and meeting GDPR’s data minimization requirements.

12. How would you advise our organization on balancing legitimate business interests against data protection concerns?

The first step is conducting a legitimate interest assessment to identify the business interests that necessitate data processing and weigh them against the potential impact on individual privacy.

We would perform a necessity test and a balancing test to ensure that data processing is both necessary and proportionate to the intended business objective. If the risks to individual rights are too high, we would consider other lawful bases for processing or implement additional safeguards to mitigate those risks.

Continuous monitoring and auditing are crucial, and a transparent approach—clearly communicating why and how data is being processed—can go a long way in maintaining customer trust while achieving business objectives.

13. What role does data classification play in data governance, and how do you approach it?

Data classification is a cornerstone of effective data governance. It helps in identifying the various types of data we handle—be it confidential, internal, or public—and sets the stage for applying appropriate security measures.

We generally advocate for a tiered classification model, where data is categorized based on its sensitivity and the level of impact its compromise would have on the organization or individuals.

Once classified, we can then apply corresponding access controls, encryption standards, and auditing mechanisms to protect the data in line with its sensitivity level. This not only helps in achieving compliance with regulations like GDPR but also optimizes data management and risk mitigation strategies.

14. How would you go about educating and training staff on data protection best practices and responsibilities?

We believe in a combination of formal training sessions, regular updates, and hands-on exercises. All our employees should undergo initial training on GDPR compliance and data protection best practices as part of their onboarding process. However, learning should be ongoing. Regular workshops, updates on any changes to data protection laws, and periodic testing exercises are crucial.

To ensure the training is effective, we recommend employing both quantitative and qualitative KPIs, such as tracking the reduction in data breaches or mishandling and assessing employee understanding through feedback and assessments.

Cross-border data transfers are often unavoidable in a global business landscape. The first step is to identify whether the receiving country has been deemed to offer an ‘adequate’ level of data protection by the EU. If not, alternative safeguards like standard contractual clauses or binding corporate rules may be utilized.

Data protection impact assessments are particularly crucial in cross-border scenarios to understand and mitigate risks. Also, it’s vital to ensure that third-party vendors involved in the data transfer are GDPR compliant.

16. How would you handle data subject access requests (DSARs) to balance the rights of the individual against the resources required to fulfill these requests?

DSARs are a critical part of GDPR and failing to respond appropriately can lead to penalties. The challenge lies in the resources needed to address these requests.

We suggest having a streamlined, automated process in place for receiving and tracking DSARs. Templates and predefined workflows can help in fulfilling these requests more efficiently.

Each of these answers aims to combine regulatory know-how with practical application, showing that you not only understand the intricacies of GDPR but can also implement strategies that are aligned with business objectives.

Summarizing it all together

In an era where data breaches make headlines and consumer trust is increasingly fragile, GDPR compliance is more than just a legal necessity; it’s a competitive advantage.

The 16 essential questions highlighted in this article are designed to equip you with the tools needed to assess your organization’s knowledge and readiness for the challenges that come with managing personal data responsibly.

Remember, GDPR is not just about avoiding penalties—it’s about fostering a culture of data privacy that safeguards your organization while building trust with your customers.

So, as you move forward with setting up personal data controls, let these questions guide you in working with legal and compliance teams who are not only knowledgeable but are also committed to upholding the principles that make GDPR a cornerstone of modern data management.

Share this article

The Forrester Wave™: Enterprise Data Catalogs for DataOps, Q2 2022

16 Essential GDPR Questions to Ask

Table of contents

GDPR: A quick sneak peek!

16 GDPR questions to ask your legal teams

1. What documentation do we need to prove that we’re GDPR compliant?

2. What responsibilities do companies have under the GDPR?

3. What are the penalties for non-compliance with GDPR?

4. What is a GDPR data processing operation?