CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance
📜 Phase 2 4-6 weeks

Phase 2: Legal Framework & Policies

With the data landscape mapped, this phase focuses on building the legal and policy framework: privacy notices, consent mechanisms, data processing agreements, internal policies, and the lawful basis documentation. This is where you create the governance documents that demonstrate compliance.

🎯 Objectives

  • Draft or update all required privacy notices (external and internal)
  • Establish legally compliant consent mechanisms where consent is the lawful basis
  • Put Data Processing Agreements in place with all processors
  • Create internal data protection policies and procedures
  • Establish the DPIA process for high-risk processing

Privacy Notice Drafting and Deployment

Draft comprehensive privacy notices for all audiences: website visitors, customers, employees, job applicants, and any other data subject groups. Each notice must contain all information required by Articles 13 and 14. Deploy using a layered approach: short notice at the point of collection with links to the full notice.

🎓 Beginner's Note

Privacy notices are the most visible part of GDPR compliance and the first thing a regulator or data subject will look at. A good privacy notice is clear, comprehensive, and honest. A bad one is vague, incomplete, or written in impenetrable legalese. Many of the largest GDPR fines have been partly or wholly about inadequate transparency.

💡 Consultant Tips

  • Use plain, clear language — avoid legal jargon. Test with non-lawyers.
  • Create a modular template so different notices share common sections but are tailored to each audience
  • Include all Article 13/14 mandatory information: identity, DPO contact, purposes, lawful basis, recipients, transfers, retention, rights, complaints
  • Version control all privacy notices and maintain an archive of previous versions

Consent Management Implementation

Design and implement consent mechanisms for all processing activities that rely on consent as the lawful basis. This includes cookie consent banners, marketing opt-in forms, and any other consent collection points. Ensure consent meets all GDPR requirements: freely given, specific, informed, unambiguous, and withdrawable.

🎓 Beginner's Note

Cookie consent is often the first thing people think of with GDPR, but it is actually governed by the ePrivacy Directive (not GDPR directly). However, the principles are the same. A common mistake is using a cookie banner that says 'By continuing to use this site, you agree to cookies' — this is NOT valid GDPR consent. The user must take an affirmative action.

💡 Consultant Tips

  • Use a Consent Management Platform (CMP) for cookie consent — OneTrust, Cookiebot, TrustArc are popular options
  • Implement granular consent: separate checkboxes for different purposes (email marketing, SMS, third-party sharing)
  • Make withdrawal as easy as giving consent (one-click unsubscribe, cookie preference center)
  • Maintain a consent ledger: timestamp, identity, version of notice, what was consented to, channel

Data Processing Agreements (DPAs)

Put Article 28-compliant Data Processing Agreements in place with ALL processors. Review existing contracts and add GDPR clauses where missing. For new vendors, ensure DPAs are signed before processing begins. Key clauses: processing only on controller instructions, confidentiality, security measures, sub-processor controls, data breach notification, audit rights, deletion/return of data at end of contract.

🎓 Beginner's Note

A Data Processing Agreement is a legally binding contract between the controller (your client) and each processor (vendor). Without it, the data sharing is non-compliant. Most cloud and SaaS vendors now have standard DPAs available on their websites. Your job is to ensure every vendor has one and that it covers all Article 28 requirements.

💡 Consultant Tips

  • Start with your highest-risk processors: cloud providers, payroll, CRM, marketing platforms
  • Many large vendors (AWS, Microsoft, Google, Salesforce) have standard DPAs — review and accept these
  • For smaller vendors, provide your own DPA template
  • Track DPA status in a register: Vendor, Service, Data Types, DPA Status, Expiry Date
  • Include international transfer mechanisms (SCCs) in DPAs where the processor is outside the EU/EEA

Internal Data Protection Policies

Create a suite of internal policies that govern how the organization handles personal data. Key policies include: overarching Data Protection Policy, Acceptable Use Policy, Data Retention and Disposal Policy, Data Breach Response Policy, DSAR Response Policy, Data Classification Policy, Clean Desk and Clear Screen Policy, Bring Your Own Device (BYOD) Policy.

🎓 Beginner's Note

Policies are your internal rules of the road. They tell employees what they must do, what they must not do, and what happens if they violate the rules. Good policies are short, clear, and actionable. Bad policies are long, vague, and filed in a drawer never to be read again. Every policy should answer the question: what does the average employee need to DO differently?

💡 Consultant Tips

  • Make policies practical and actionable — not just theoretical statements
  • Include clear responsibilities: who does what, by when, and how
  • Align with existing corporate governance and information security frameworks (ISO 27001, NIST)
  • Create short, practical guidance documents alongside the formal policies
  • Ensure policies are approved by senior management and communicated to all staff

DPIA Process Establishment

Create a Data Protection Impact Assessment (DPIA) process per Articles 35-36. Define when a DPIA is required (high-risk processing criteria), create a DPIA template, establish the review and approval workflow, and train project managers and product owners to trigger DPIAs at the right time.

🎓 Beginner's Note

A DPIA is essentially a privacy risk assessment. It asks: What are we doing? What data is involved? What could go wrong? How likely is it? How bad would it be? What can we do to reduce the risk? If the risk is still high after mitigation, you must consult your supervisory authority BEFORE proceeding (Article 36 prior consultation).

💡 Consultant Tips

  • DPIAs are mandatory when: using new technologies, large-scale profiling, large-scale processing of special category data, systematic monitoring of public areas, or automated decision-making with significant effects
  • Create a screening questionnaire to help project teams determine if a DPIA is needed
  • Integrate DPIA into the project lifecycle: it should be done BEFORE the processing begins, not after
  • The DPO must be consulted during every DPIA

International Transfer Mechanisms

For all cross-border data transfers identified in Phase 1, implement the appropriate legal transfer mechanism: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or approved derogations. Conduct Transfer Impact Assessments (TIAs) where required.

🎓 Beginner's Note

International data transfers are one of the most complex areas of GDPR. The basic rule is: personal data cannot leave the EU/EEA unless the destination provides adequate protection. This creates challenges for any organization using US cloud providers, offshoring to India, or operating globally. The transfer mechanisms (SCCs, adequacy decisions, BCRs) are legal tools to bridge this gap.

💡 Consultant Tips

  • Start by checking if the destination country has an EU adequacy decision — if so, no additional mechanism is needed
  • For US transfers, check if the recipient is certified under the EU-US Data Privacy Framework
  • For all other transfers, implement the new (2021) Standard Contractual Clauses
  • Conduct a Transfer Impact Assessment to evaluate the laws of the destination country
  • Document all transfer mechanisms in a cross-border transfer register

📦 Phase Deliverables

Privacy Notices (customer, employee, website visitor, job applicant)
Cookie Consent Implementation (CMP deployed and configured)
Consent Management Process and Consent Ledger
Data Processing Agreements register (all vendors tracked and DPAs executed)
Internal Data Protection Policy Suite (8-10 policies)
DPIA Process Document and Template
DPIA Screening Questionnaire
Cross-Border Transfer Register with Transfer Impact Assessments
Lawful Basis Documentation (updated from Phase 1 with legal review)
← Back to GDPR Compliance