Question 1

What is a DPIA and when is it required?

Accepted Answer

A Data Protection Impact Assessment is a structured process to identify and minimise privacy risks before starting a high-risk processing activity. GDPR requires a DPIA when processing is likely to result in a high risk to individuals, for example, large-scale profiling, systematic monitoring, or processing special categories of data. KaitoSec provides a guided DPIA template aligned with EDPB guidelines.

Question 2

What is the difference between a data controller and a data processor under GDPR?

Accepted Answer

A controller determines the purposes and means of processing personal data. A processor handles data on behalf of a controller. Both have distinct obligations under GDPR, and the relationship must be formalised in a Data Processing Agreement. KaitoSec's vendor module tracks all processor relationships and DPA status.

Question 3

How do we handle a data breach under GDPR?

Accepted Answer

GDPR requires you to notify your supervisory authority within 72 hours of becoming aware of a personal data breach, and to notify affected individuals without undue delay if the breach is high risk. KaitoSec's incident module provides breach assessment workflows, severity scoring, and pre-filled notification templates to meet both deadlines.

Question 4

Do we need a Data Protection Officer?

Accepted Answer

A DPO is mandatory for public authorities, organisations that systematically monitor individuals at large scale, or organisations processing special category data at large scale. Even if not mandatory, a DPO or privacy lead is strongly recommended. KaitoSec supports DPO workflows including DPIA consultation, training records, and authority liaison.

Question 5

How does GDPR interact with NIS2 for security requirements?

Accepted Answer

Both regulations require appropriate technical and organisational security measures to protect personal data and IT systems respectively. GDPR focuses on personal data protection, while NIS2 covers broader network and information security. KaitoSec maintains a shared control library so overlapping requirements are implemented once and evidenced across both frameworks.

GDPR as a managed Datenschutzmanagementsystem, not a checklist

Automated Data Subject Rights

DPIA Workflow Engine

Record of Processing Activities

GDPR on one model with ISO 27001 and NIS2

Processing Register & RoPA

Vendor Data Processing Agreements

Consent & Cookie Management

FAQ

Product

Frameworks

Solutions

Services

Resources

Company

Legal