CDMP Fundamentals • 100 Questions • 90 Minutes
← Back to GDPR Compliance
🔒 Phase 3 6-8 weeks

Phase 3: Technical & Organizational Measures

Implement the technical controls and organizational processes required by GDPR. This includes data security measures (Article 32), breach detection and response (Articles 33-34), data subject rights fulfillment processes, privacy by design integration into development workflows, and staff training.

🎯 Objectives

  • Implement appropriate technical security measures per Article 32
  • Build and test the data breach detection, assessment, and notification process
  • Operationalize data subject rights fulfillment (DSAR, erasure, portability, etc.)
  • Integrate Privacy by Design into software development and project management
  • Deliver GDPR awareness training to all staff and specialized training to key roles

Technical Security Implementation (Article 32)

Implement or upgrade technical measures to ensure appropriate security for personal data. Key measures include: encryption at rest and in transit, pseudonymization where feasible, access controls (role-based, least privilege), logging and monitoring, network segmentation, endpoint protection, secure backup and recovery, and vulnerability management.

🎓 Beginner's Note

Article 32 does not prescribe specific technologies. It requires measures appropriate to the risk. A small company processing mailing lists needs basic security (encryption, passwords, access control). A health data processor needs much more (network segmentation, encryption everywhere, strict access controls, audit trails). The key principle is: the more sensitive the data and the higher the risk, the stronger the security must be.

💡 Consultant Tips

  • Prioritize encryption: TLS 1.2+ for all data in transit, AES-256 for data at rest in databases and file storage
  • Implement role-based access control (RBAC) — no one should have more access than they need
  • Enable audit logging for all access to personal data — you will need this for breach investigation
  • Ensure backups are encrypted and that backup data is included in your DSAR and erasure processes
  • Conduct regular penetration testing and vulnerability scanning

Data Breach Response Process (Articles 33-34)

Build a complete breach detection, assessment, containment, notification, and lessons-learned process. Under GDPR, breaches that risk individuals' rights must be reported to the supervisory authority within 72 hours. High-risk breaches must also be communicated to affected individuals without undue delay.

🎓 Beginner's Note

Data breach response is one of the most time-critical GDPR requirements. The 72-hour notification deadline to the supervisory authority is extremely tight — weekends and holidays count. You do not need to have full details within 72 hours; you can provide information in phases. But you MUST notify within the deadline. Many organizations have been fined not for the breach itself but for failing to notify on time.

💡 Consultant Tips

  • Create a Breach Response Team with named roles: Incident Commander, Technical Lead, Legal Advisor, Communications Lead, DPO
  • Develop a breach severity classification matrix: Low (no notification), Medium (SA notification), High (SA + individual notification)
  • Pre-draft notification templates for the supervisory authority and individuals
  • Practice with tabletop exercises — simulate a breach scenario and walk through the response
  • The 72-hour clock starts when you BECOME AWARE of the breach, not when you fully understand it

Data Subject Rights Fulfillment System

Build operational processes and tools to handle all eight data subject rights. Implement an intake system (web form, email, phone), identity verification, routing, tracking, and response generation. Focus particularly on DSARs (right of access) and erasure requests, which are the most operationally demanding.

🎓 Beginner's Note

Fulfilling data subject rights at scale is an operational challenge that many organizations underestimate. A single DSAR can require searching dozens of systems, compiling data, redacting third-party information, and formatting for delivery — all within 30 days. If your client is a consumer-facing business, expect a steady stream of requests. If they are a B2B company, volume will be lower but each request may be more complex.

💡 Consultant Tips

  • Use a rights management tool or ticketing system to track requests (OneTrust, TrustArc, or even a well-structured Jira workflow)
  • Create standard operating procedures (SOPs) for each right with clear timelines and responsibilities
  • Build automated data extraction capabilities for DSARs where possible
  • Implement a deletion workflow that covers ALL systems (including backups — consider a suppression list approach for backups)
  • Set up SLA monitoring with escalation at day 14 and day 25 of the 30-day deadline

Privacy by Design Integration

Embed Privacy by Design (Article 25) into the organization's project management, software development lifecycle (SDLC), and change management processes. Ensure that every new project, system, or process that involves personal data is assessed for privacy impact and designed with data protection built in from the start.

🎓 Beginner's Note

Privacy by Design means thinking about privacy BEFORE you build something, not after. It is like building a house with fire safety in mind from the architectural plans, rather than trying to bolt on fire escapes after the house is built. In practice, this means: do you really need that data field? Is the default setting the most private? Can you use pseudonymized data instead of real data? Can you auto-delete after the retention period?

💡 Consultant Tips

  • Add a Privacy by Design checklist to the project initiation phase
  • Integrate DPIA screening into the project approval workflow
  • Train developers on privacy principles: data minimization, purpose limitation, storage limitation, pseudonymization
  • Create secure coding guidelines for handling personal data (input validation, output encoding, parameterized queries)
  • Review system architecture for privacy: default settings, data separation, retention automation

Staff Training Program

Design and deliver a comprehensive GDPR training program. All staff need basic awareness training. Key roles (HR, Marketing, IT, Customer Service, Management) need specialized training. The DPO and privacy team need advanced training. Training should be practical, role-specific, and regularly refreshed.

🎓 Beginner's Note

Training is one of the most impactful things you can do. The majority of data breaches are caused by human error: sending an email to the wrong person, leaving a laptop on a train, falling for a phishing attack. Good training reduces these incidents. It also creates a culture of privacy awareness where employees think twice before collecting unnecessary data or sharing personal data inappropriately.

💡 Consultant Tips

  • Tier your training: General Awareness (all staff, 30-60 min), Role-Specific (key departments, 2-3 hours), Advanced (privacy team, multi-day)
  • Use real examples and scenarios relevant to the organization — not generic GDPR theory
  • Include practical exercises: recognizing a DSAR, identifying a breach, handling a consent withdrawal
  • Make training mandatory and track completion — regulators expect documented evidence of training
  • Refresh training annually and supplement with ongoing communications (newsletter, intranet updates)

Data Retention Automation

Implement technical controls to enforce the data retention schedule created in Phase 1. Automate data deletion or anonymization where possible. For systems that cannot auto-delete, create manual review processes with reminders and accountability.

🎓 Beginner's Note

Retention automation is where GDPR compliance gets real in the technical sense. It is one thing to have a policy that says 'delete customer data after 3 years.' It is another thing to actually make that happen across 15 different systems, including backups. Start simple: identify the top 5 data stores, implement automated deletion, and expand from there. Perfect is the enemy of good.

💡 Consultant Tips

  • Start with the biggest data stores and highest-risk data categories
  • Implement automated retention in databases (scheduled jobs, TTL fields, archive-and-delete workflows)
  • Address email retention — this is often the biggest challenge (years of unmanaged email with personal data)
  • Do not forget paper records, archived systems, and backup tapes
  • Maintain legal hold processes that can pause deletion when litigation is anticipated

📦 Phase Deliverables

Technical Security Implementation Report (what was deployed, tested, verified)
Data Breach Response Plan (with roles, templates, timelines, escalation procedures)
Breach Response Tabletop Exercise Report
Data Subject Rights SOPs (one per right)
Rights Management System/Tool (configured and tested)
Privacy by Design Checklist and SDLC Integration Guide
GDPR Training Program (materials, schedule, completion tracking)
Data Retention Automation Implementation Plan and Progress Report
← Back to GDPR Compliance