Compliance
Practical guidance on meeting data protection requirements across jurisdictions, from implementation steps to ongoing compliance management. Learn how to audit your website for compliance gaps, set up proper consent mechanisms, maintain documentation, and prepare for regulatory inspections and enforcement actions.
When Do You Need a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment is mandatory under GDPR whenever processing is likely to result in a high risk to individuals. Article 35 sets out three automatic triggers, and the EDPB has published nine criteria to help you decide whether your processing qualifies. Getting this wrong can lead to enforcement action and fines of up to 2% of global turnover.
Data Processors vs Data Controllers: Understanding Your Role Under GDPR
Every organisation handling personal data under the GDPR acts as either a controller or a processor. Learn how this legal distinction dictates your liability, contractual requirements, and compliance obligations.
GDPR Fines Explained: How Supervisory Authorities Calculate Penalties Under Article 83
GDPR fines are not arbitrary. Article 83 sets out a structured framework with two tiers of maximum penalties, ten assessment criteria, and a five-step calculation methodology developed by the EDPB. Understanding how authorities arrive at a specific figure helps you assess your own compliance risk.
The Right to Data Portability: What It Means for Your SaaS Product
Data portability gives users the right to take their personal data out of your SaaS product in a structured, machine-readable format. Under GDPR Article 20 and the 2025 EU Data Act, SaaS providers face concrete obligations around export formats, switching timelines, and interoperability that go far beyond a simple CSV download button.
Data Subject Access Requests (DSARs): What You Need to Know About Article 15
Article 15 of the GDPR gives individuals the right to request a copy of their personal data. Managing these Data Subject Access Requests correctly prevents severe regulatory fines and legal risks.
Children's Data Under GDPR: Age Verification and Parental Consent (Article 8)
Article 8 of the GDPR requires parental consent before processing children's personal data through online services. The default threshold is 16, but EU member states can lower it to 13. Getting this right matters - regulators have issued fines exceeding half a billion euros for failures in protecting children's data online.
Data Protection by Design and by Default: A Practical Guide to GDPR Article 25
GDPR Article 25 requires every data controller to bake privacy into systems from the start - not bolt it on later. This guide breaks down what 'by design' and 'by default' mean in practice, how regulators are enforcing these obligations, and what website owners need to do right now to stay compliant.
GDPR Territorial Scope: Does It Apply to Websites Outside the EU?
The General Data Protection Regulation does not stop at Europe's borders. Learn how the GDPR's extraterritorial scope applies to websites based in the US, Canada, and beyond.
The Right to Erasure: How to Handle "Delete My Data" Requests
The right to erasure is one of the most frequently exercised data subject rights under the GDPR, and regulators across Europe are actively auditing how organisations handle deletion requests. Getting the process right means knowing when you must delete, when you can refuse, and how to document every step.