The 7 principles of GDPR — what they mean in practice
For SMBs, the principles that create the most day-to-day compliance exposure are purpose limitation (not using data for purposes beyond what was disclosed), data minimization (only collecting what you genuinely need), and storage limitation (not retaining data longer than necessary). Together, these three principles account for a large proportion of the enforcement actions brought against smaller organizations.
Cyber-Management's GDPR compliance program maps your existing data processing activities against all seven principles, identifies where your current practices create exposure, and builds the policies and controls needed to bring you into conformity.
Processing must have a lawful basis, be fair to data subjects, and be transparent about how data is used.
Data collected for one purpose cannot be used for a different, incompatible purpose without a new lawful basis.
Only collect personal data that is adequate, relevant, and limited to what is necessary for the stated purpose.
Personal data must be accurate and kept up to date. Inaccurate data must be erased or corrected without delay.
Personal data must not be kept longer than necessary for the purpose for which it was collected. Retention schedules are mandatory.
Data must be protected against unauthorized access, loss, or destruction using appropriate technical and organizational security measures.
Organizations must be able to demonstrate compliance — not just claim it. Documentation, policies, and records are the evidence of accountability.
The 6 lawful bases for processing personal data
Every processing activity in your organization must have one of six lawful bases.
Using the wrong one — or failing to identify one at all — is a fundamental GDPR violation.
The lawful basis you rely on also determines the rights your data subjects can exercise. Choosing the correct basis for each processing activity is therefore not just a legal formality — it shapes your entire data subject rights framework and your ability to defend enforcement actions. Cyber-Management's data mapping process identifies the appropriate lawful basis for every processing activity in your organization.
Consent
The data subject has freely given, specific, informed, and unambiguous consent. Must be withdrawable at any time. Cannot be bundled with other terms. Most commonly over-relied upon by SMBs when another basis would be more appropriate.
Contract
Processing is necessary to perform a contract with the data subject, or to take pre-contractual steps at their request. The most appropriate basis for processing customer and employee data related to service delivery.
Legal obligation
Processing is required to comply with a legal obligation under EU or member state law — for example, retaining employee payroll records, or reporting to a regulator.
Vital interests
Processing is necessary to protect someone's life. Narrow in application — primarily relevant in healthcare and emergency contexts.
Public task
Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Most relevant for public authorities and regulated bodies.
Legitimate interests
Processing is necessary for the legitimate interests of the controller or a third party, provided these are not overridden by the data subject's interests or rights. Requires a documented Legitimate Interests Assessment (LIA). The most flexible basis — and the most frequently challenged by supervisory authorities.
Data subject rights — your obligations when individuals exercise them
GDPR gives EU residents eight enforceable rights over their personal data. Your organization must be operationally ready to respond to every one of them — typically within one calendar month.
The right to access (Subject Access Request) and the right to erasure (right to be forgotten) generate the most requests and the most enforcement activity for SMBs. Failing to respond within the one-month deadline — or failing to respond adequately — is a direct GDPR violation that supervisory authorities act on.
Cyber-Management builds the internal processes, response templates, and logging systems your team needs to handle data subject requests consistently and within deadline — regardless of volume.
72h
Breach notification deadline
Any personal data breach that poses a risk to individuals must be reported to your supervisory authority within 72 hours of becoming aware of it. Breaches affecting high-risk individuals must also be communicated directly to those individuals without undue delay. This timeline is non-negotiable — and most organizations that miss it do so because they lack a documented incident response procedure.
The 8 data subject rights under GDPR
GDPR compliance roadmap for SMBs
GDPR compliance is not a one-time project — but it does have a clear starting structure.
Here is how Cyber-Management approaches it for a business that has not yet completed a formal GDPR program.
01
GDPR readiness assessment
A structured evaluation of your current data protection practices against GDPR requirements — identifying gaps, high-risk processing activities, and your most urgent remediation priorities.
02
Data mapping & Records of Processing
Building your Article 30 Records of Processing Activities (ROPA) — a complete inventory of every processing activity, its lawful basis, data categories, retention periods, and third-party recipients.
03
Policy & documentation build
Drafting or updating your Privacy Notice, Consent mechanisms, Data Subject Rights procedures, Breach Notification process, Data Retention Schedule, and Data Processor Agreements with third parties.
04
DPIA for high-risk processing
Conducting Data Protection Impact Assessments for any processing likely to result in high risk to individuals — mandatory under Article 35 for activities such as large-scale profiling, bio-metric data processing, or systematic monitoring.
05
Training & awareness
Delivering documented staff training on GDPR principles, data handling obligations, incident reporting, and data subject rights — satisfying the accountability requirements of Article 5(2).
06
Ongoing compliance & DPO support
How GDPR fits with ISO 27001, NIS2, and ISO 27701
GDPR does not operate in isolation. For most SMBs subject to multiple EU regulations, a joined-up approach that satisfies GDPR alongside ISO 27001 and NIS2 is significantly more efficient than three separate programs.
| Framework | Relationship with GDPR | How they work together |
|---|---|---|
| ISO 27001 | ISO 27001 directly addresses GDPR Article 32's requirement for "appropriate technical and organizational security measures" to protect personal data. | ISO 27001 certification provides demonstrable evidence of your security controls to supervisory authorities. A certified ISMS makes the security dimension of GDPR compliance significantly easier to evidence and defend. |
| NIS2 | NIS2 and GDPR both require incident notification — NIS2 within 24 hours to the national authority, GDPR within 72 hours to the supervisory authority. Both require security risk management and documented controls. | Organizations subject to both can build a single incident response procedure that satisfies both notification timelines simultaneously, and a single risk management framework that addresses both sets of requirements. |
| ISO 27701 | ISO 27701 is specifically designed as a privacy extension to ISO 27001 — it maps directly to GDPR requirements and provides a certifiable privacy management framework. | Organizations seeking to demonstrate comprehensive GDPR compliance through certification should consider ISO 27701 as the natural next step after ISO 27001. It adds the privacy governance layer that ISO 27001 alone does not cover. |
| DPO as a Service | GDPR requires certain organizations to appoint a Data Protection Officer — public bodies, organizations processing special categories at scale, and those conducting large-scale systematic monitoring | Cyber-Management's DPO as a Service provides a certified DPO on a fractional basis — satisfying the mandatory DPO requirement at a cost accessible to SMBs, with full accountability and independence as required by Article 38. |
Why Choose Cyber-Management ?
Expertise in Cybersecurity and Compliance
Our team consists of seasoned professionals with extensive knowledge of GDPR and cybersecurity best practices.
Tailored Solutions
We understand that every business is unique. Our services are customized to meet your specific needs and challenges.
Focused on Small to Mid-Sized Businesses
We specialize in helping companies like yours navigate the complexities of GDPR without overwhelming your resources.
Not sure where your GDPR gaps are? Start with a free assessment call.
In 25 minutes we will identify your highest-risk processing activities, confirm whether you need a DPO, and outline the practical steps to reach a defensible compliance position — with no obligation to proceed.
