Regulation EU 2016/679 -General Data Protection Regulation (GDPR)

It is a basic European regulation that shapes the rights of individuals and the obligations of organizations engaged in the processing of personal data. It introduces the supervisory authorities in the EU countries and financial fines, which can be placed on organizations unlawfully processing personal data.

What is GDPR? 

Find out more about this regulation

Regulation source

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), can be found on the official website of the EU here.


GDPR is a fundamental law in the EU shaping the rules for processing personal data. As a regulation, it directly applies to all the legislations of the EU member states. The member states can detail that law with national legislation acts. The legislation provides rights to data subjects that have to be warranted by an organization while processing personal data.


As specified in Article 3 of GDPR, the regulation applies to the processing of personal data by a controller or processor established in the Union, regardless of whether the processing occurs in the Union or not. Alternatively, GDPR applies to the processing of personal data of data subjects in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union.

Noncompliance consequences

GDPR introduces in each member state a state-established supervisory authority. A data subject, other organization, or a supervisory authority can report the infringement at any moment. Also, the organization processing personal information must inform the supervisory authority about personal data breaches in less than 72 hours. A supervisory authority can impose administrative fines on any organization that processes personal data. The fines can be up to 20 000 000 Euro, or in the case of an undertaking, up to 4% of the total global annual turnover.

Achieving compliance with ins2outs

Learn how to achieve and prove compliance with this regulation on ins2outs

1. Privacy gap assessment

We start the GDPR compliance project by assessing the current privacy framework used in the organization. The short review of personal data categories, privacy risk assessment approach, and governance structure enables us to prepare a plan for the GDPR compliance project.

2. Information Security Management System definition

GDPR puts obligations on any organization processing personal data without explaining how to implement them. Here the ISO 27001-compliant Information Security Management System comes in handy, offering a state-of-the-art approach to managing information security and privacy. In this step, the ISMS is defined and introduced to the organization.

3. Personal Information Management System definition

The ISMS is then extended with the approach to managing privacy derived from GDPR and other privacy regulations. ISO 27701 standard provides guidance on extending the ISMS to the Privacy Information Management System (PIMS). In this step, the PIMS is defined and introduced to the organization on top of the ISMS.

4. Executing GDPR-derived processes

The organization under its PIMS executes the basic privacy processes in this step. It covers defining personal data categories, defining records of processing activities (ROPAs), conducting privacy risk assessments, and implementing technical and organizational measures (TOMs). Finally, data processing agreements and other legal documents are also prepared.

5. Operating ISMS and PIMS

Finally comes the moment when both ISMS and PIMS are operated in the organization. ins2outs assures building the proper awareness among people engaged in personal data processing. It structures and triggers all actions required by both systems to ensure security, privacy, and lawful processing of personal data. If needed, a notified body can certify both ISMS and PIMS.


Check our complementary services

Find out what services you can use to achieve compliance with this regulation

ins2outs software

An organization works in ins2outs software (SaaS) hosted in a secure cloud environment. ins2outs provides an account where any of its management systems are hosted, like quality, information security, privacy, and others. The organization invites its users to the ins2outs software.