GDPR: Core Principles and Audit Obligations

Article 5 of the GDPR states seven principles that govern all processing of personal data. They are not aspirational; they are legally binding, and a violation of any one of them can ground an enforcement action. Auditors test compliance with each principle by looking for documented evidence, not self-certification.

The integrity and confidentiality principle is the one most directly connected to information security controls. It does not mandate specific technical measures; it requires that measures be appropriate to the risk. Article 32 elaborates: controllers must implement encryption, pseudonymisation, ongoing confidentiality and availability of processing systems, and a process for regularly testing and evaluating measures. Auditors assessing this principle apply the same control-testing methods used in ISO 27001 or NIST CSF audits and map results to the GDPR obligation.

Article 6 of the GDPR lists six lawful bases. A controller must identify the correct basis before processing begins. The choice cannot be changed retrospectively if a regulator or court challenges the processing. Each basis carries different implications for how the processing must be conducted and what rights data subjects have.

• Consent (Article 6(1)(a)): the individual has given freely given, specific, informed, and unambiguous consent. Consent must be as easy to withdraw as to give. Pre-ticked boxes and bundled consent are invalid. Records of consent must be retained to demonstrate it was validly obtained.
• Contract (Article 6(1)(b)): processing is necessary to perform a contract with the data subject, or to take steps at the data subject's request before entering into a contract. A delivery address held to fulfil an order is a typical example.
• Legal obligation (Article 6(1)(c)): processing is necessary to comply with a legal obligation placed on the controller by EU or member-state law. Payroll tax reporting is a standard example.
• Vital interests (Article 6(1)(d)): processing is necessary to protect the vital interests of the data subject or another person. This basis is narrow and intended for life-or-death emergencies. It is rarely appropriate in commercial contexts.
• Public task (Article 6(1)(e)): processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller. Primarily used by public authorities, regulators, and researchers.
• Legitimate interests (Article 6(1)(f)): processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the interests or rights of the data subject. This requires a documented three-part balancing test: identify the interest, confirm processing is necessary, balance against the data subject's interests. The test must be recorded.

Special-category data (Article 9), which includes health data, biometric data, genetic data, racial or ethnic origin, religious beliefs, political opinions, trade union membership, and sexual orientation or sex life, requires two separate legal hooks: a lawful basis under Article 6 and a distinct condition under Article 9(2). The most common conditions are explicit consent, employment law obligations, vital interests where the data subject cannot consent, and substantial public interest. Processing special-category data without an Article 9 condition, even if an Article 6 basis exists, is unlawful.

Articles 12 to 22 of the GDPR establish eight rights for data subjects. These rights are not passive entitlements; each one requires that the controller have operational processes, system access, and staff training in place before a request arrives. Auditors test the rights-fulfilment capability, not only the stated policy.

The right of access is the most operationally demanding and the most frequently exercised. An organisation that stores personal data across multiple systems, cloud services, and processors needs a data map accurate enough to run a subject access search efficiently. Data maps that exist only on paper but do not reflect live system architecture are a common audit finding. India's DPDPA 2023 includes an equivalent right of access under Section 11 and a right of erasure under Section 12; California's CPRA grants analogous rights under its 'right to know' and 'right to delete' provisions.

The accountability principle is operationalised through a set of specific documentation and process obligations spread across GDPR. An auditor assessing accountability should work through a checklist of these obligations, requesting evidence of each.

• Record of Processing Activities (Article 30): every controller with 250 or more employees, or whose processing presents risks to individuals' rights, is legally required to maintain a ROPA. In practice, regulators treat any significant commercial processing activity as meeting the risk threshold. The ROPA must be up to date and available on request.
• Privacy notices (Articles 13 and 14): when data is collected from individuals, they must be informed of the controller's identity, the purposes and lawful bases for processing, retention periods, and their rights. When data is not collected directly, the notice must be provided within a reasonable time. Auditors test whether notices are accurate, legible, and delivered at the point of collection.
• Data processing agreements (Article 28): any use of a processor must be governed by a written contract that specifies the subject matter, duration, nature, and purposes of the processing; the type of personal data; the categories of data subjects; and the obligations and rights of the controller. Using a cloud service or SaaS provider to handle personal data without a compliant DPA in place is a violation.
• Data Protection Impact Assessments (Article 35): DPIAs are mandatory before high-risk processing begins. Mandatory categories include systematic profiling producing legal or significant effects, large-scale processing of special-category data, and systematic monitoring of public areas. The DPIA must describe the processing, assess necessity and proportionality, assess risks to individuals, and identify measures to address those risks.
• Data Protection Officer appointment (Articles 37 to 39): organisations that must appoint a DPO must notify the supervisory authority of the appointment and publish the DPO's contact details. The DPO must have expert knowledge of data-protection law and practices and must be given the resources necessary to carry out their tasks.
• Breach notification (Articles 33 and 34): personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in risk to individuals. Where the breach is likely to result in high risk, affected individuals must also be notified without undue delay. Controllers must maintain a register of all breaches, including those not notified, with their facts, effects, and remedial actions.

Chapter V of the GDPR restricts transfers of personal data to countries outside the European Economic Area unless one of a set of transfer mechanisms is in place. This is a frequent audit area because most organisations use at least some cloud services or processors located outside the EEA.

• Adequacy decision (Article 45): the European Commission has determined that the destination country provides an adequate level of protection. As of 2024, countries with adequacy decisions include the UK (for transfers from the EU), Japan, Canada (for commercial organisations), Israel, New Zealand, and the US (under the EU-US Data Privacy Framework for certified organisations). Adequacy decisions can be revoked; auditors should confirm the current status of any decision relied on.
• Standard Contractual Clauses (Article 46(2)(c)): the most widely used mechanism. The European Commission has issued sets of SCCs for controller-to-controller and controller-to-processor transfers. The SCCs must be signed without modification. Following the Court of Justice of the EU's Schrems II ruling in 2020, controllers must also complete a transfer impact assessment before relying on SCCs to confirm that the legal framework of the destination country does not undermine the protections the SCCs provide.
• Binding Corporate Rules (Article 47): used for intra-group transfers within multinational organisations. BCRs must be approved by a lead supervisory authority and require significant internal compliance infrastructure. They are appropriate for large multinationals but impractical for most organisations.
• Derogations (Article 49): a limited set of exceptions allows transfers without a transfer mechanism, including explicit consent, necessity for performance of a contract, public interest, and vital interests. Derogations are narrow and should not be used as a routine substitute for a transfer mechanism.

A transfer impact assessment (TIA) is now standard practice when relying on SCCs for transfers to countries without an adequacy decision. The TIA must examine the destination country's surveillance and law-enforcement access laws and assess whether they are compatible with EU data-protection standards. In practice, transfers to the United States, India, China, and many other jurisdictions require a TIA that documents the legal analysis and any supplementary measures adopted.

Article 83 of the GDPR establishes a two-tier system of administrative fines. The tiers differ in ceiling amount and in which violations they cover. Both tiers use a 'whichever is higher' formula between an absolute euro amount and a percentage of global annual turnover, meaning large organisations face proportionally larger maximum fines.

Beyond fines, supervisory authorities have the power to issue warnings and reprimands, impose temporary or permanent bans on processing, order data to be erased or rectified, and suspend international transfers. The Irish Data Protection Commission's actions against Meta, resulting in a 1.2 billion euro fine in May 2023 for unlawful transfers of EU user data to the United States, illustrates the scale of enforcement that cross-border data flows can attract.

The consistency mechanism allows supervisory authorities to cooperate on cross-border cases. When an organisation operates in multiple EU member states, the 'one-stop-shop' principle designates the supervisory authority in the organisation's main EU establishment as the lead authority, with other concerned authorities participating. This means a single enforcement action can cover the organisation's operations across all EU member states. Organisations with UK and EU operations now have two separate lead authorities: the UK ICO and the lead EU authority, because UK GDPR and EU GDPR are now distinct legal instruments post-Brexit.