Technical Whitepaper 04-B

GDPR is not 99 articles.
It is 7 engineering problems.

A practical framework for prioritising GDPR compliance — based on what the regulation actually requires from your systems.

12 min read·2026-02-18

Most compliance teams work through the GDPR article by article. Article 5, then 6, then 7. They build controls in that order. They track progress in that order.

This is a mistake.

The GDPR has 99 articles, but many of them require the same systems, the same controls, and the same evidence. Article 13 and Article 14 both need a privacy notice delivery system. Article 15 and Article 20 both need a data export pipeline. Building them separately doubles the work.

When you group requirements by what they actually demand from your infrastructure, the GDPR collapses into seven implementation themes. Here is how to think about them.

The seven themes

Group requirements
by what they demand.

01

Controller Governance & Accountability

Spans 15 articles

This is the foundation. Before you build anything else, you need the governance infrastructure: Records of Processing Activities (Article 30), a DPO mandate, DPIA processes, and documented organisational measures.

Without this, every other compliance effort has no structure to sit on.

Arts. 10, 11, 24–28, 30–32, 35–39
Arts. 24 (responsibility of the controller), 25 (data protection by design), 30 (records of processing), 35 (data protection impact assessment)
02

Access Control & Security Measures

Spans 11 articles

Article 32 gets the most attention here — "appropriate technical and organisational measures." But this theme also pulls in encryption and pseudonymisation requirements from Article 34, processor security obligations from Article 28, and access restrictions for special category data under Article 9.

If your security controls are designed only around Article 32, you are missing obligations scattered across ten other articles.

Arts. 5, 9, 10, 18, 22, 23, 28, 29, 32, 34, 47
Arts. 32 (security of processing), 28 (processor obligations), 9 (special categories), 34 (breach communication to data subject)
03

Breach & Change Notification Pipeline

Spans 8 articles

The 72-hour breach notification rule (Article 33) is well known. What is less obvious: this theme also covers purpose-change notifications (Article 13/14), erasure propagation to third parties (Article 17/19), and restriction-of-processing updates (Article 18).

These are all notification obligations. They share the same infrastructure: event detection, assessment logic, multi-party routing, and deadline tracking.

Arts. 6, 13, 14, 17, 18, 19, 33, 34
Arts. 33 (notification to supervisory authority), 34 (communication to data subject), 19 (notification regarding rectification or erasure)
04

International Transfer Governance

Spans 9 articles

If you transfer personal data outside the EU — and if your servers are outside Europe, you do — you need a transfer register, documented safeguards (SCCs, BCRs, or adequacy reliance), and ongoing monitoring of adequacy decisions.

This theme also pulls in disclosure obligations from Articles 14 and 15: you must tell data subjects where their data goes and what safeguards apply.

Arts. 14, 15, 20, 44–49
Arts. 44 (general principle for transfers), 45 (adequacy decisions), 46 (appropriate safeguards), 49 (derogations)
05

Data Subject Rights Operations

Spans 9 articles

Access, rectification, erasure, portability, restriction, objection, and human review of automated decisions. Each right has its own article, but they all need the same operational capability: intake, identity verification, fulfilment workflow, deadline tracking, third-party coordination, and audit logging.

Build this as one system. Not seven.

Arts. 11, 12, 15, 16, 20–22, 26, 28
Arts. 15 (access), 16 (rectification), 17 (erasure), 20 (portability), 21 (objection), 22 (automated decision-making)
06

Lawful Basis & Consent Engineering

Spans 7 articles

Every processing activity needs a lawful basis (Article 6). If that basis is consent, the GDPR demands it be freely given, specific, informed, and unambiguous (Article 7) — with extra rules for children (Article 8) and special categories (Article 9).

This is not a checkbox. It is a system: consent capture, granular purpose tracking, withdrawal mechanisms, and proof of consent at any point in time.

Arts. 6–9, 12, 13, 22
Arts. 6 (lawfulness of processing), 7 (conditions for consent), 8 (child’s consent), 9 (special categories)
07

Codes, Certifications & BCR Compliance

Spans 4 articles

If your organisation adheres to approved codes of conduct, certifications, or Binding Corporate Rules, the GDPR requires you to prove ongoing compliance — not just initial adherence. This includes monitoring body functions, staff training verification, and BCR change management.

For most startups this is a later-stage concern. But if you are pursuing certification or operating under BCRs, treat it as a distinct workstream.

Arts. 24, 40, 41, 47
Arts. 40 (codes of conduct), 41 (monitoring of approved codes), 42 (certification), 47 (binding corporate rules)

Why this matters

All 7 themes are cross-article. The smallest spans 4 articles. The largest spans 15.

If you read the GDPR linearly, you will build redundant systems. If you implement by theme, you build each capability once and map it to every article it satisfies.

70% of the IT requirements in the GDPR are classified as high risk. The regulation does not ask you to write policies — it demands systems that enforce, log, and prove compliance. Structuring the work by theme is how you make that manageable.

70%
High risk
134 of 192 IT requirements
29%
Moderate risk
56 of 192 IT requirements
1%
Low risk
2 of 192 IT requirements

Sources

GDPR full textRegulation (EU) 2016/679 (CELEX 32016R0679)
Articles 5–49Data principles, rights, controller obligations, transfers
Article 30Records of processing activities
Article 32Security of processing
Articles 33–34Breach notification
Articles 44–49International transfers (Chapter V)
Articles 6–9Lawfulness, consent, special categories
Articles 40–42, 47Codes of conduct, certification, BCRs

RuleMesh data references

graphs/it_requirement_bundles7 bundles: Controller Governance (32 members, 15 arts), Access Control (19, 11), Breach Notification (16, 8), International Transfers (16, 9), Data Subject Rights (15, 9), Lawful Basis & Consent (11, 7), Codes & Certifications (9, 4).
graphs/harmonized/32016R0679192 IT requirements with risk classification — 134 High (70%), 56 Moderate (29%), 2 Low (1%).
graphs/controls281 security controls mapped across NIST_CSF (185), Cloud_Security (86), OWASP_TOP_10 (10) — all 7 bundles mapped to all 3 frameworks.
Bundle cross-article analysisAll 7 bundles are cross-article; range 4–15 articles per bundle.

This content is regulatory guidance, not legal advice. Always consult qualified legal counsel for your specific situation.

See the 192 requirements behind the themes.

Each requirement ships with its risk class, article lineage, and the cloud and security controls that satisfy it.

Browse cloud mappingsarrow_forwardBack to reports