Data Privacy: The Complete Guide for Compliance and Security Teams

What Is Data Privacy?

Data privacy is the discipline that ensures personal information is collected, processed, stored, and shared in compliance with legal requirements and individual rights. It governs the rules around how organisations handle personal data — from collection consent to deletion — and provides individuals with control over their information.

In the regulatory landscape of GDPR, CCPA, and emerging privacy laws worldwide, data privacy has become a board-level concern requiring dedicated processes, technologies, and governance structures.

Data Privacy Principles

Principle	Description	GDPR Article
Lawfulness, fairness, transparency	Process data legally, fairly, and transparently	Art. 5(1)(a)
Purpose limitation	Collect data for specified, explicit, legitimate purposes	Art. 5(1)(b)
Data minimisation	Collect only what is necessary	Art. 5(1)(c)
Accuracy	Keep personal data accurate and up to date	Art. 5(1)(d)
Storage limitation	Retain data only as long as necessary	Art. 5(1)(e)
Integrity and confidentiality	Protect data with appropriate security	Art. 5(1)(f)
Accountability	Demonstrate compliance with all principles	Art. 5(2)

Lawful Bases for Processing

Legal Basis	When to Use	Examples
Consent	Individual freely gives informed agreement	Marketing emails, cookies, analytics
Contract	Processing necessary to fulfil a contract	Order processing, service delivery
Legal obligation	Processing required by law	Tax reporting, regulatory filings
Vital interests	Protecting someone's life	Emergency medical data sharing
Public interest	Processing for public benefit	Public health, archiving
Legitimate interests	Business need balanced against individual rights	Fraud prevention, network security

Data Subject Rights

Right	GDPR Article	Response Time	Key Requirements
Access	Art. 15	1 month	Provide copy of all personal data
Rectification	Art. 16	1 month	Correct inaccurate data
Erasure	Art. 17	1 month	Delete data when no longer needed
Restriction	Art. 18	1 month	Limit processing while disputes resolved
Portability	Art. 20	1 month	Provide data in machine-readable format
Object	Art. 21	1 month	Stop processing for legitimate interests
Automated decisions	Art. 22	1 month	Right not to be subject to automated decisions

Privacy Impact Assessment (DPIA)

Phase	Activities	Output
Screening	Determine if DPIA is required (high-risk processing)	DPIA necessity assessment
Description	Document the processing activity, data flows, purposes	Processing description
Necessity assessment	Evaluate proportionality and data minimisation	Necessity and proportionality analysis
Risk identification	Identify risks to individuals' rights and freedoms	Risk register
Risk mitigation	Determine measures to address identified risks	Mitigation plan
DPO consultation	Seek Data Protection Officer guidance	DPO opinion
Documentation	Record assessment, decisions, and residual risks	DPIA report

Data Retention Framework

Data Category	Typical Retention	Legal Basis	Deletion Method
Customer contracts	Duration + 6 years	Legal obligation (statute of limitations)	Secure deletion
Employment records	Duration + 7 years	Legal obligation (tax, employment law)	Secure deletion
Marketing consent	Until withdrawn	Consent	Immediate removal
Website analytics	26 months	Legitimate interest	Automatic purge
Security logs	1-5 years	Legitimate interest / legal obligation	Automatic purge
Backup data	90 days rolling	Legitimate interest	Automatic rotation

International Data Transfers

Mechanism	Use Case	Complexity
Adequacy decision	Transfers to countries with adequate protection	Low
Standard Contractual Clauses (SCCs)	Most common mechanism for third-country transfers	Medium
Binding Corporate Rules (BCRs)	Intra-group transfers in multinationals	High
Derogations	Explicit consent, contract necessity	Case-by-case
EU-US Data Privacy Framework	Transfers to certified US companies	Medium

Compliance Requirements

Framework Mapping

Requirement	GDPR	ISO 27001	SOC 2	NIS2
Privacy policy	Art. 13-14	A.5.34	P1.1	Art. 21
Consent management	Art. 6-7	A.5.34	P3.1	—
Data subject rights	Art. 15-22	A.5.34	P4.1-P8.1	—
Records of processing	Art. 30	A.5.34	P1.2	—
DPIA	Art. 35	A.5.34	—	Art. 21(2)(a)
Data breach notification	Art. 33-34	A.5.24	CC7.3	Art. 23
International transfers	Art. 44-49	A.5.34	P5.1	—
Data protection officer	Art. 37-39	—	—	—

Audit Evidence

Evidence Type	Description	Framework
Privacy policy	Published, current privacy notice	All frameworks
Records of processing (RoPA)	Complete inventory of processing activities	GDPR, ISO 27001
Consent records	Evidence of valid consent collection and management	GDPR
DPIA reports	Completed assessments for high-risk processing	GDPR, NIS2
Data subject request log	Records of requests received and responses	GDPR
Data processing agreements	Contracts with processors under Article 28	GDPR
International transfer mechanisms	SCCs, BCRs, or adequacy documentation	GDPR
Retention schedule	Documented retention periods with legal basis	All frameworks

Common Mistakes

Mistake	Risk	Fix
Relying on consent for everything	Consent fatigue, invalid consent, withdrawal risk	Use appropriate legal basis — consent is one of six options
No data inventory	Cannot comply with RoPA or data subject rights	Create and maintain comprehensive data mapping
Ignoring retention periods	Storing data indefinitely increases breach impact	Implement automated retention and deletion policies
Privacy policy as checkbox exercise	Non-compliance, enforcement action	Ensure policy reflects actual practices
No DPIA process	Missing risk assessments for high-risk processing	Implement DPIA screening and assessment process
Treating privacy as IT-only	Missing business process and legal dimensions	Cross-functional privacy programme with legal, IT, and business

How Orbiq Supports Data Privacy Compliance

Orbiq helps you demonstrate data privacy controls:

• Evidence collection — Centralise privacy policies, DPIAs, RoPA, and consent records
• Continuous monitoring — Track privacy control effectiveness and compliance rates
• Trust Center — Share your privacy posture via your Trust Center
• Compliance mapping — Map privacy controls to GDPR, ISO 27001, SOC 2, and NIS2
• Audit readiness — Pre-built evidence packages for auditor and DPA review

Further Reading

• Data Classification — Classifying data for appropriate privacy controls
• Encryption — Protecting personal data technically
• Identity and Access Management — Controlling access to personal data
• Incident Response — Data breach notification procedures
• Third-Party Risk Management — Managing data processor risks
• ISMS — Privacy within the information security management system