Note: This article offers a practical assessment and does not constitute legal advice. For specific cases, consult your data protection officer or legal counsel.
“GDPR compliant” is not a fixed product attribute. Whether a digital service can be operated lawfully depends on its purpose, the data involved, the participating organisations, the technical design and day-to-day operation. Data protection must therefore begin with the process, not with a final compliance check.
Three Relevant Frameworks
GDPR and National Data Protection Law
Whenever personal data is processed, the institution needs a defined purpose and legal basis. Transparency, data subject rights, storage limitation, security and documented responsibilities also matter. A data protection impact assessment may be required where processing is likely to result in a high risk.
The EU AI Act Where AI Is Used
The EU AI Act applies in stages, with duties determined by the institution’s role and the system’s risk category. Institutions should document whether and how AI is used, which role they perform and which transparency, competence or oversight duties follow. This assessment does not replace the separate GDPR analysis.
Professional and Sector-Specific Rules
Social services, education, healthcare and public administration may be subject to further statutory, supervisory, professional or records-management requirements. These obligations need to be translated into the target process alongside data protection and information security.
Seven Practical Design Areas
- Purpose and legal basis. Before selecting technology, define why each category of data is needed for the institution’s task.
- Data minimisation and retention. Collect only what is necessary and set clear rules for deletion, archiving and restriction.
- Roles and contracts. Determine whether the parties act as controllers, joint controllers or processors, and review subprocessors.
- Access control. Permissions should reflect actual duties, be reviewed regularly and change when responsibilities change.
- Technical and organisational measures. Encryption, logging, backups, recovery and incident procedures should match the risk.
- Transparency and data subject rights. Information, access, rectification, erasure and objection need to work in the real service.
- Review and evidence. Records of processing, risk decisions, approvals and changes should remain current and accessible.
What Institutions Need from a Digitalisation Partner
- a clear description of data flows, processing locations and system boundaries,
- an appropriate contract with transparent subprocessors,
- documented technical and organisational measures,
- role, retention, deletion and access-control concepts,
- arrangements for security incidents, maintenance and contract termination,
- for AI features, information about models, data use, human oversight and applicable duties.
“Data protection becomes robust when the professional process, legal basis, technology and operating model describe the same processing activity.”
Cloud, On-Premises or a Hybrid Model?
No operating model is compliant by default. Relevant considerations include the categories of data, provider roles, processing locations, international transfers, security measures and contractual controls. On-premises operation may offer greater control, but it also creates responsibilities for security, updates and availability. The choice should follow a documented needs and risk assessment.
Conclusion
GDPR-compliant institutional digitalisation does not come from a single certificate. It requires a clear purpose, minimal data, defined responsibilities, proportionate security and auditable operations. Addressing these points early allows digital services to evolve without treating data protection as a late addition.
Plan Data Protection from the Start
We structure data flows and technical options for review by your data protection and legal teams.
