5.4 GDPR for Organizations

Understanding the GDPR from an individual rights perspective is valuable. Understanding it from an organisational perspective is equally important — it helps you recognise whether the organisations you deal with are operating compliantly, and prepares you for professional contexts where these obligations fall on you or your employer.

Controllers and processors

The GDPR distinguishes between two key roles. A data controller is the entity that determines the purposes and means of processing personal data — typically a business or public authority. A data processor processes data on behalf of a controller — for example, a cloud storage provider or payroll software company. Controllers bear the primary compliance burden; processors must follow controllers' instructions and are bound by contract under Art. 28.

Data Protection Officer (DPO)

Certain organisations are required to appoint a Data Protection Officer — an independent expert responsible for advising on GDPR compliance, monitoring compliance, and acting as a point of contact for the supervisory authority. A DPO is mandatory (Art. 37) for: public authorities, organisations that carry out large-scale systematic monitoring of individuals, and organisations that process special category data on a large scale. The DPO must operate independently and cannot be dismissed for performing their tasks.

Data Protection Impact Assessments (DPIAs)

Before undertaking processing that is likely to result in high risks to individuals' rights — such as large-scale profiling, systematic surveillance, or processing sensitive data — organisations must carry out a DPIA (Art. 35). A DPIA assesses the necessity and proportionality of the processing and identifies measures to mitigate risk. If residual risk remains high, the supervisory authority must be consulted before processing begins.

Breach notification (Art. 33 and Art. 34)

If a personal data breach occurs, the controller must notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of it — unless the breach is unlikely to result in risk to individuals (Art. 33). If the breach is likely to result in a high risk to individuals' rights and freedoms, the controller must also notify the affected individuals directly without undue delay (Art. 34).

Records of Processing Activities (Art. 30)

Controllers (and processors) must maintain written records of their processing activities — including the categories of data processed, purposes, recipients, international transfers, and retention periods. These records must be made available to supervisory authorities on request and form the backbone of accountability.

GDPR fines

The GDPR introduced significant penalties. Under Art. 83, fines fall into two tiers:

• Lower tier: up to €10 million or 2% of global annual turnover (for processor obligations, record-keeping failures, etc.)
• Upper tier: up to €20 million or 4% of global annual turnover (for violations of core principles, lawful basis requirements, or individual rights) — whichever is higher in each case.

Notable enforcement actions include CNIL's €150 million fine against Google (2022) and the Irish DPC's €1.2 billion fine against Meta (2023) for unlawful data transfers.

Your takeaway

GDPR compliance is not a one-time task — it is an ongoing programme of accountability. When you see a company with a clear privacy notice, a DPO contact, and transparent breach communication, you are seeing the GDPR's organisational requirements in action.