Compliance
Practical guidance on meeting data protection requirements across jurisdictions, from implementation steps to ongoing compliance management. Learn how to audit your website for compliance gaps, set up proper consent mechanisms, maintain documentation, and prepare for regulatory inspections and enforcement actions.
What Is UK GDPR? The Post-Brexit Data Protection Rules Your Website Must Follow
UK GDPR is the United Kingdom's version of the General Data Protection Regulation, retained in domestic law after Brexit. It works alongside the Data Protection Act 2018 and PECR to regulate how organisations collect, store and use personal data belonging to people in England, Scotland, Wales and Northern Ireland.
What Is the LGPD? A Practical Guide to Brazil's Data Protection Law
Brazil's LGPD (Lei Geral de Protecao de Dados) regulates how personal data is collected and processed for anyone located in Brazil. It applies regardless of where your business is based, covers cookies and online tracking, and carries fines of up to 2% of annual revenue in Brazil.
Records of Processing Activities: The GDPR Compliance Checklist You're Probably Missing
A Record of Processing Activities (ROPA) is the document most organisations need under GDPR Article 30 but few get right. The Irish DPC's 2022 sweep found that the majority of organisations it audited had non-compliant records. Here is what your ROPA must contain, why the 250-employee exemption rarely applies, and how to build one that holds up to regulatory scrutiny.
Automated Decision-Making and Profiling: User Rights Under Article 22
Article 22 of the GDPR restricts decisions made solely by automated processing when they produce legal or similarly significant effects on individuals. Website owners using profiling cookies, credit scoring, or algorithmic personalisation need to understand when this provision applies and what safeguards are required.
GDPR and Cookies: Special Categories of Data You Might Be Collecting Without Knowing
Article 9 of the General Data Protection Regulation (GDPR) places strict limits on collecting sensitive information like health data, political opinions, and sexual orientation. Many website owners accidentally process this special category data through standard analytics and marketing cookies.
Legitimate Interest as a Legal Basis: When Can You Skip Consent?
Legitimate interest is the most flexible of the six GDPR legal bases, but it is also the most misunderstood. This guide explains the three-part test you must pass, where legitimate interest works in practice, and why it rarely applies to cookies and tracking technologies.
Handling Data Breaches: The 72-Hour Notification Rule Under GDPR Article 33
GDPR Article 33 requires data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. The clock starts ticking from awareness, not from when the breach occurred - and getting the notification wrong can be just as costly as missing the deadline entirely.
Do You Need a Data Protection Officer? GDPR Requirements Explained (Article 37)
Article 37 of the GDPR forces specific types of businesses to appoint a Data Protection Officer. Learn the strict legal triggers for this mandatory role, how to avoid massive fines, and whether your website tracking crosses the regulatory threshold.
Cross-Border Data Transfers After GDPR: Adequacy Decisions, Safeguards, and What They Mean for Your Website
GDPR restricts the transfer of personal data outside the EEA unless the receiving country offers equivalent protection or specific safeguards are in place. With record fines now reaching into the hundreds of millions, getting cross-border transfers right has become one of the most consequential compliance tasks for any website that uses third-party services hosted abroad.