What is GDPR?
| 14 April 2016 | 25 May 2018 | European Union / International Implications |
Key GDPR Principles
Individual Rights Under GDPR
GDPR empowers individuals (data subjects) with distinct rights regarding their personal data. These rights are:
| Right | Description |
|---|---|
| Right to access | Individuals can obtain confirmation and a copy of their personal data being processed. |
| Right to rectification | Allows correction of inaccurate or incomplete data. |
| Right to erasure (right to be forgotten) | Enables data subjects to have their data deleted under certain conditions. Request a quote |
| Right to restrict processing | Processing can be restricted in certain circumstances. |
| Right to data portability[email protected] | Permits individuals to obtain and reuse their data across different services. |
| Right to object +44 (0)207 148 5985 | Individuals can object to data processing based on specific grounds.Courses |
| Rights in relation to automated decision-makingPROJECT MANAGEMENT | Safeguards with respect to automated processing and profiling.PRINCE2 |
Organisational Obligations and Requirements®
Organisations must comply with a range of duties under GDPR, including:Foundation
- Lawful Basis for Processing:Learn the fundamentals of the PRINCE2 method. Identify and document an appropriate legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.Practitioner
- Obtaining valid consent:Includes Foundation & Practitioner combined option. Where relied upon, consent must be freely given, specific, informed, and unambiguous.Association for Project Management (APM)
- Appointment of a Data Protection Officer (DPO):Project Fundamentals Qualification (PFQ) Public authorities and certain organisations conducting large-scale systematic monitoring or processing of sensitive data must appoint a DPO.Start your APM project management career.
- Data breach notification:Project Management Qualification (PMQ) Notifying the relevant supervisory authority within 72 hours of becoming aware of a data breach, and informing data subjects where required.Advance your APM project management expertise.
- Documentation and record-keeping:Project Risk Single Certificate Level 1 Maintain records of processing activities as evidence of compliance.Enhance your project risk management skills.
- Privacy by design and by default:AgilePM Integrate data protection into business processes and systems from the outset.®
- Transparency and privacy policy: – Agile Project Management Clearly inform individuals about data practices via concise, accessible privacy policies.Foundation
Penalties and EnforcementLearn the key principles of Agile Project Management.
Supervisory authorities across the EU, such as national data protection regulators, are responsible for GDPR enforcement. Non-compliance can result in significant administrative fines:Practitioner
| Type of BreachIncludes Foundation & Practitioner combined option. | Maximum PenaltyPRINCE2 |
|---|---|
| Standard breaches® | Up to EUR 10 million or 2% of annual global turnover (whichever is higher) Agile |
| Severe breachesFoundation | Up to EUR 20 million or 4% of annual global turnover (whichever is higher)Learn the fundamentals of the PRINCE2 Agile method. |
In addition to fines, organisations may face legal actions, reputational damage, and mandatory changes to data processing practices. Examples of enforcement include penalties for insufficient consent mechanisms and failing to report breaches on time.Practitioner
Checklist: Steps for GDPR ComplianceIncludes Foundation & Practitioner combined option.
- Identify if GDPR applies to your organisation’s personal data processing activities.AI Project Governance Framework (AIPGF)
- Ensure a clear lawful basis exists for each processing activity.Foundation
- Update privacy policies to reflect GDPR requirements.Learn the fundamentals of the governance framework.
- Review consent mechanisms for clarity and observability.Practitioner
- Appoint a Data Protection Officer if required.Includes Foundation & Practitioner combined option.
- Maintain up-to-date records of processing activities (Article 30 records).Better Business Cases
- Implement ‘privacy by design and by default’ into your systems and processes.™
- Prepare protocols for data breach detection, reporting, and investigation.Foundation
- Train staff on GDPR requirements and data handling best practices.Learn the fundamentals of Better Business cases.
- Assess cross-border data transfers and ensure appropriate safeguards are in place when transferring data to a third country.Practitioner
Commonly Used GDPR AbbreviationsIncludes Foundation & Practitioner combined option.
| AbbreviationP3O | Meaning® |
|---|---|
| GDPRFoundation | General Data Protection RegulationLearn the fundamentals of the P3O project management office. |
| DPOPractitioner | Data Protection OfficerIncludes Foundation & Practitioner combined option. |
| EEAWorkshops | European Economic AreaIntroduction to Project Management |
| EU1-day workshop to learn the basics of project management. | European UnionProject Management Essentials |
| UK GDPR2-day workshop to learn how to manage projects without getting certified. | UK’s version of the GDPR post-BrexitWriting Business Cases |
Global Reach and International ImplicationsHalf-day workshop to learn to write robust business cases.
GDPR’s extraterritorial provisions mean that organisations outside the EU must comply if they offer goods or services to EEA residents or monitor their behaviour. Special rules apply to international data transfers to countries outside the EEA (third countries), including use of standard contractual clauses or adequacy decisions by the European Commission.AI in Project Management
The UK GDPR mirrors the EU GDPR but is tailored to the domestic context post-Brexit. Organisations may need to comply with both UK and EU regulations if operating across these jurisdictions.Learn how to use AI tools in everyday project work.
Further Reading and Authoritative ResourcesARTIFICIAL INTELLIGENCE (AI)
FAQsAI Project Governance Framework (AIPGF)
Who does GDPR apply to?Foundation
GDPR applies to any organisation processing the personal data of individuals (data subjects) within the European Economic Area, regardless of where the organisation is established. It also covers data controllers and data processors outside the EEA if they offer goods or services to EEA residents or monitor their behaviour.Learn the fundamentals of the governance framework.
What are the main penalties for non-compliance with GDPR?Practitioner
Penalties for non-compliance can reach up to EUR 20 million or 4 percent of annual global turnover, whichever is higher. Lower tier breaches incur up to EUR 10 million or 2 percent of turnover. Authorities may also impose corrective measures or require operational changes.Includes Foundation & Practitioner combined option.
What types of data does GDPR protect?Workshops
GDPR protects ‘personal data’ — any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and factors specific to an individual’s identity.AI in Project Management
What must organisations do in the event of a data breach?Learn how to use AI tools in everyday project work.
Organisations must assess the breach, notify the relevant regulatory authority within 72 hours if there’s a risk to the rights and freedoms of individuals, and inform affected data subjects without undue delay when required. Detailed records of the breach must be maintained.AGILE
What is the difference between a data controller and a data processor?AgilePM
A data controller determines the purposes and means of processing personal data, whereas a data processor acts on behalf of, and only under the instructions of, the data controller.®
How can organisations demonstrate GDPR compliance? – Agile Project Management
By implementing appropriate technical and organisational measures, maintaining documentation, training staff, performing data protection impact assessments, and cooperating with supervisory authorities when required.Foundation
How does GDPR affect organisations outside the EU?Learn the key principles of Agile Project Management.
Organisations outside the EU must comply with GDPR if they process EEA residents’ personal data for offering goods or services, or for monitoring behaviour. This often requires appointing an EU representative and meeting cross-border data transfer requirements.Practitioner