The Cyber Navigator

The Cyber Navigator

Share this post

The Cyber Navigator
The Cyber Navigator
GDPR Compliance: A New CISO’s Step-by-Step Guide to Avoiding Fines
Copy link
Facebook
Email
Notes
More

GDPR Compliance: A New CISO’s Step-by-Step Guide to Avoiding Fines

Just Took Over as CISO? Here’s How to Verify GDPR Compliance Before Regulators or Hackers Come Knocking

Tobias Faiss
Feb 25, 2025
∙ Paid
1

Share this post

The Cyber Navigator
The Cyber Navigator
GDPR Compliance: A New CISO’s Step-by-Step Guide to Avoiding Fines
Copy link
Facebook
Email
Notes
More
1
Share
Just Took Over as CISO? Here’s How to Verify GDPR Compliance Before Regulators or Hackers Come Knocking
Just Took Over as CISO? Here’s How to Verify GDPR Compliance Before Regulators or Hackers Come Knocking

Congratulations - you’re the new CISO!

Your first big challenge?

Making sure your company is GDPR compliant. Because here’s the reality:

  • Fines for GDPR violations are skyrocketing.

  • Regulators are getting stricter.

  • Customers expect airtight data protection.

Let’s face it:

GDPR fines have exceeded €4 billion since 2018. The biggest penalties aren’t for breaches but for failing to follow GDPR rules. Non-compliance means fines up to €20M or 4% of global revenue - whichever is higher. If GDPR isn’t a priority, your company is at serious risk.

But don’t panic.

Let’s break down how to verify GDPR compliance as a new CISO - step by step.

1) Find Out If Your Company Even Falls Under GDPR

Not sure if GDPR applies? Assume it does.

Your company must comply if:

  • You operate in the EU.

  • You offer products or services to EU citizens - even if you’re not based in Europe.

  • You process personal data of EU residents.

  • Examples of personal data under GDPR:

  • Customer names, emails, phone numbers

  • Employee records

  • Payment information

  • IP addresses and online identifiers

If your company collects any EU personal data, you must comply with GDPR - even if you’re based outside the EU.

2) Check If You Have a Data Protection Officer (DPO)

Some companies are legally required to have a DPO. You need a DPO if:

  • Your company processes large amounts of personal data.

  • You monitor individuals on a large scale (e.g., tracking user behavior).

  • You handle sensitive data (health records, financial info, biometric data).

  • If you don’t have a DPO and need one, you’re already in violation.

What you need to fix as soon as possible:

Appoint a qualified DPO (can be internal or external) and make sure the role reports directly to leadership. Also, ensure they oversee GDPR compliance - not just legal, but also security.

The DPO should be your go-to expert on GDPR policies, audits, and regulator interactions.

3) Identify What Personal Data You Collect and Where It’s Stored

Most GDPR violations happen because companies don’t know what data they have.

Keep reading with a 7-day free trial

Subscribe to The Cyber Navigator to keep reading this post and get 7 days of free access to the full post archives.

Already a paid subscriber? Sign in
© 2025 Tobias Faiss
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More