GDPR : A New Paradigm

The GDPR (General Data Protection Regulation) is considered as a new paradigm compared to previous European legislation on personal data because : 

(can be internal or external to the company)

The appointment of a DPO (Data Protection Officer) is mandatory for public sector companies.
It is mandatory for private sector companies processing specific (sensitive) data on a large scale or profiling on a large scale


GDPR is applicable to companies outside the European Union (i.e. whose headquarters or servers are located outside the European Union) as long as these companies target European citizens (particularly on the web)

Right to be forgotten/ to erasure

The concept of the right to be forgotten/to erasure allows the data subjects concerned to modify their digital traces in order to become actors of their digital life


This principle ensures the portability of personal data between different service providers (for example, on social networks, for service providers specialising in the provision and management of emails, or utilities)

Data protection from data protection by design and by default

Data protection by design and by default introduces data protection concepts when designing a product or service, without the need for further action on the part of the data subject (DP by default)


The accountability principle requires the controller to show and prove that everything has been implemented in accordance with the instructions mentioned in the company’s data privacy policy


The PIA (Privacy Impact Assessment) must be carried out in a number of cases, in particular if the processing of personal data involves a high risk for the data subjects

Technical and organisational security measures

It must be ensured that adequate (appropriate) technical and organisational security measures have been put in place to protect and secure personal data

Minimisation principle

It is necessary to only collect the minimum amount of required personal data

Data breaches

Data breaches must be notified to the regulatory authority (CNIL for France) by the controller within a maximum of 72 hours. In the event of a very high risk for the data subjects, the controller may be obliged to inform each data subject individually


The level of fines for non-compliance with the GDPR can reach up to 4% of the worldwide turnover or €20 million euros of the company concerned

As part of GDPR, the consulting company Data Privacy Professionals offers you a range of services which allows you to

support your company with the process of becoming GDPR compliant

 accelerate compliance with our available packages

train your employees and your DPO,

→ use the services of an external or outsourced DPO services (Data Protection Officer).