Technologies Required for GDPR, Part 1


With the clear majority of personal data being captured, stored, structured, organized and processed in digital forms across today's digital landscape, compliance with the GDPR is going to require appropriate technological responses. To do otherwise would be foolhardy and out of step with the requirements of the GDPR that specifically call out the need for technological answers. As noted above, complying with the GDPR requires a complementary mix of both organizational and technological responses. In reviewing the requirements of the GDPR, the following categories of technologies will be essential for every organization controlling or processing data on EU residents.


Organizations need to select up-to-date and modern applications to govern the processes of collecting, storing, and processing personal data about EU residents. The rights that EU residents newly have under the GDPR - such as the right to access, the right to rectify, the right to erasure, and the right to the restriction of processing, among others - requires an exceedingly well-governed data management environment that handles both the big picture requirements of GDPR as well as the specific rights across all instances of personal data. Organizations will need to track consent requests and approvals for many different actions, and tie that consent to the specific personal data collected or updated for that purpose. Organizations will need the ability to know when a legal basis other than consent is being used to justify storing and processing personal data, and the specific personal data values to which this applies - and for how long. Organizations must retain records of processing activities, transfer activities, and access or disclosure activities.

Taking this approach is merely an enactment of Article 25, on data protection by design and by default. Organizations without such an applications landscape will be unable to meet even the conceptually simple access, rectification and erasure rights in a timely and cost-efficient manner, let alone address the more complex rights around data portability, objections, and automated decision-making for individuals. Organizations should be challenging their current IT applications providers for details on how these requirements are met in current applications, as well as exploring the options from new generation IT providers.


Implementing appropriate organizational and technological safeguards on all master production systems that contain personal and sensitive personal data is essential. But it is not enough. Sufficient controls are required for:

  • Copies of production databases containing personal data taken for testing, development, or analytics purposes. Leaving these unprotected or unsecured will place the organization out of compliance with GDPR.
  • Spreadsheets and other data sources populated by exporting customer contact and profiling details for a mail merge. Storing this information in a local folder that is synchronized to a cloud storage service like Box, Dropbox, or OneDrive for Business is likely to compromise GDPR mandates.
  • Email archives, whether stored on-premises, in cold storage or in the cloud. These are likely to contain personal data that must be protected under the GDPR.

In light of the massive volumes of data that exist in unstructured forms across the organization, a technological response to identify, catalogue, and classify all such data sources is an essential step, laying the foundation for taking appropriate action on any and every form of personal data thereby identified.

Technologies Required for GDPR, Part 2