English
Español
Privacy7 min read
GDPR in 2026: Obligations your business cannot ignore.
The regulatory landscape of 2026
GDPR has been in force for seven years, yet fines keep breaking records. In 2025, European data protection authorities imposed a historical high. Spain, with the AEPD as watchdog, ranked fourth among countries with the most resolutions.
In 2026, the landscape becomes more complex: the NIS2 Directive forces thousands of new companies to document technical security measures, and the AI Act introduces transparency requirements for automated decision-making systems.
Key technical obligations
Art.
25
Privacy by Design
Systems must be designed with privacy from the outset. Data minimisation, pseudonymisation, and encryption by default — not as an afterthought.
Art.
32
Security of Processing
Adequate technical and organisational measures: AES-256 encryption, pseudonymisation, encrypted security backups, and business continuity plans.
Art.
33-34
Breach Notification
72 hours to notify the DPA if there is risk to data subjects. High risk requires direct communication to those affected.
Art.
35
DPIA
Data Protection Impact Assessment mandatory for high-risk processing: profiling, biometrics, health data, or surveillance.
Technique: Pseudonymisation with HMAC-SHA256
(Python)
Pseudonymisation is a technical measure explicitly recognised by the GDPR as a risk-reducing control under Article 25.
# HMAC-SHA256 Pseudonymisation — GDPR Art. 25
import hmac, hashlib, os
SECRET_KEY = os.environ["GDPR_HMAC_KEY"].encode()
def pseudonymise(personal_data: str) -> str:
"""One-way pseudonymisation compliant with GDPR Art. 25."""
return hmac.new(SECRET_KEY, personal_data.encode(), hashlib.sha256).hexdigest()
def verify(personal_data: str, token: str) -> bool:
return hmac.compare_digest(pseudonymise(personal_data), token)
# Usage — store only the token, never the raw data
user_token = pseudonymise("john.doe@company.com")
"GDPR compliance is not paperwork. It is architecture. Every system that processes personal data must be engineered with privacy at its core."
Zenith — Primitive Labs
Compliance roadmap
- 01
Data mapping — Document all personal data flows: purpose, legal basis, retention period, and third-party transfers.
- 02
Technical controls — Encryption at rest and in transit. Pseudonymisation of identifiers. Access control with principle of least privilege.
- 03
Breach response — Documented incident response plan with 72h DPA notification procedure.
- 04
DPO or responsible person — Appoint a Data Protection Officer where mandatory. Internal training for all staff processing personal data.
- 05
Third-party audits — Review Data Processing Agreements (DPAs) with suppliers. Annual compliance review.
Tags :
