The General Data Protection Regulation (GDPR) remains the most comprehensive data protection framework in the world, setting the standard for how organisations must handle personal data. Whether you are establishing a compliance programme from scratch or reviewing your existing practices, this guide provides everything you need to understand and implement GDPR requirements.
What is GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) is a comprehensive data protection law that governs how organisations collect, process, store, and share personal data of individuals in the European Union and European Economic Area.
GDPR came into effect on 25 May 2018, replacing the 1995 Data Protection Directive. It applies directly across all EU member states without requiring national implementing legislation for its core provisions.
Key Features of GDPR
Extraterritorial scope: GDPR applies to any organisation worldwide that processes personal data of EU residents, regardless of where the organisation is based.
Harmonised rules: Creates a single set of data protection rules across all EU member states, simplifying compliance for organisations operating in multiple countries.
Significant penalties: Maximum fines of EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious violations.
Enhanced rights: Grants individuals comprehensive rights over their personal data, including access, erasure, and portability.
Accountability principle: Requires organisations to demonstrate compliance, not just achieve it.
Who Must Comply with GDPR?
GDPR applies to two categories of organisations:
Controllers
A controller determines the purposes and means of processing personal data. Controllers bear primary responsibility for GDPR compliance.
Examples:
- An employer processing employee data
- A retailer processing customer data
- A hospital processing patient data
Processors
A processor processes personal data on behalf of a controller, following the controller's instructions.
Examples:
- A payroll provider processing employee data for an employer
- A cloud hosting provider storing data for a client
- A marketing agency sending emails on behalf of a company
Territorial Scope
GDPR applies when:
Establishment in the EU: The organisation has an establishment in the EU, regardless of whether processing takes place in the EU.
Offering goods or services: The organisation offers goods or services to individuals in the EU, even without payment.
Monitoring behaviour: The organisation monitors the behaviour of individuals in the EU (e.g., tracking website visitors for profiling).
The Seven GDPR Principles
Article 5 establishes seven fundamental principles that underpin all GDPR requirements. Every processing activity must comply with these principles.
1. Lawfulness, Fairness, and Transparency
Personal data must be:
Lawful: Processed only with a valid legal basis (see below).
Fair: Processed in ways that individuals would reasonably expect, without adverse effects.
Transparent: Individuals must be informed about how their data is processed.
2. Purpose Limitation
Personal data must be:
- Collected for specified, explicit, and legitimate purposes
- Not further processed in ways incompatible with those purposes
Exception: Further processing for archiving in the public interest, scientific or historical research, or statistical purposes is not considered incompatible.
3. Data Minimisation
Personal data must be:
- Adequate for the specified purpose
- Relevant to the specified purpose
- Limited to what is necessary for the specified purpose
Organisations should not collect data "just in case" it might be useful.
4. Accuracy
Personal data must be:
- Accurate and kept up to date
- Corrected or erased without delay when inaccurate
Organisations should implement processes to verify and update data regularly.
5. Storage Limitation
Personal data must be:
- Kept in identifiable form only as long as necessary for the specified purposes
- Deleted or anonymised when no longer needed
Organisations should establish and document retention periods for all data categories.
6. Integrity and Confidentiality (Security)
Personal data must be processed with:
- Appropriate security measures
- Protection against unauthorised or unlawful processing
- Protection against accidental loss, destruction, or damage
Security must be proportionate to the risks involved.
Related: Learn about NIS2 cybersecurity requirements that complement GDPR security obligations.
7. Accountability
The controller must:
- Be responsible for compliance with all principles
- Be able to demonstrate compliance
This requires documentation, policies, procedures, and ongoing monitoring.
Lawful Bases for Processing
Article 6 establishes six lawful bases for processing personal data. At least one must apply to every processing activity.
Consent
The individual has given clear consent to process their personal data for a specific purpose.
Requirements for valid consent:
- Freely given (genuine choice, no detriment for refusing)
- Specific (separate consent for different purposes)
- Informed (clear explanation of what is being consented to)
- Unambiguous (clear affirmative action)
- Easy to withdraw (as easy as giving consent)
Best for: Marketing communications, cookies, optional features.
Contract
Processing is necessary for a contract with the individual, or to take steps at their request before entering a contract.
Examples:
- Processing delivery address to fulfil an order
- Running credit checks before offering a loan
- Processing employee data to administer employment
Cannot be used for: Processing that is helpful but not strictly necessary for the contract.
Legal Obligation
Processing is necessary to comply with a legal obligation (other than a contractual obligation).
Examples:
- Providing employee data to tax authorities
- Retaining financial records as required by law
- Reporting suspicious transactions under AML regulations
Requires: Identification of the specific legal provision creating the obligation.
Vital Interests
Processing is necessary to protect someone's life.
Examples:
- Sharing medical information in an emergency
- Processing data to protect a child from harm
Limitations: Cannot be used if another lawful basis is available. Primarily for emergency situations.
Public Task
Processing is necessary for a task carried out in the public interest or in the exercise of official authority.
Examples:
- Public authorities exercising their functions
- Private organisations exercising official authority
- Research institutions conducting publicly-funded research
Requires: Basis in EU or member state law.
Legitimate Interests
Processing is necessary for legitimate interests pursued by the controller or a third party, except where overridden by the interests, rights, or freedoms of the data subject.
Requires a three-part test:
- Purpose test: Is there a legitimate interest?
- Necessity test: Is processing necessary for that interest?
- Balancing test: Do the individual's interests override the legitimate interest?
Examples:
- Fraud prevention
- Network and information security
- Direct marketing to existing customers
Cannot be used by: Public authorities in performance of their tasks.
Special Categories of Personal Data
Article 9 provides additional protections for sensitive personal data.
Categories Requiring Special Protection
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (for identification purposes)
- Health data
- Sex life or sexual orientation
Processing Requirements
Processing special category data requires:
- A lawful basis under Article 6, AND
- A condition under Article 9(2)
Article 9(2) conditions include:
- Explicit consent
- Employment, social security, or social protection law obligations
- Vital interests (where individual cannot consent)
- Legitimate activities by non-profit bodies
- Data made public by the individual
- Legal claims or judicial acts
- Substantial public interest
- Healthcare purposes
- Public health
- Archiving, research, or statistics
Data Subject Rights
GDPR grants individuals comprehensive rights over their personal data.
Right to Be Informed (Articles 13-14)
Individuals must be provided with information about:
When data is collected directly:
- Identity and contact details of controller
- Contact details of DPO (if applicable)
- Purposes and legal basis for processing
- Legitimate interests (if applicable)
- Recipients or categories of recipients
- International transfer details
- Retention period or criteria
- Data subject rights
- Right to withdraw consent
- Right to complain to supervisory authority
- Whether provision is statutory/contractual requirement
- Automated decision-making details
When data is obtained indirectly:
- Same information, plus source of the data
- Must be provided within one month or at first communication
Right of Access (Article 15)
Individuals can:
- Confirm whether their data is being processed
- Access their personal data
- Obtain information about the processing
- Request a copy of their data
Response time: One month (extendable by two months for complex requests).
Format: Commonly used electronic format if requested electronically.
Right to Rectification (Article 16)
Individuals can request:
- Correction of inaccurate personal data
- Completion of incomplete personal data
Response time: One month (extendable by two months).
Right to Erasure (Article 17)
Also known as the "right to be forgotten," individuals can request deletion when:
- Data is no longer necessary for original purpose
- Consent is withdrawn (and no other legal basis exists)
- Individual objects and no overriding legitimate grounds exist
- Data was unlawfully processed
- Erasure is required by law
- Data was collected from a child for online services
Exceptions: Legal claims, legal obligations, public health, archiving/research.
Right to Restriction (Article 18)
Individuals can request that processing be restricted when:
- Accuracy is contested (pending verification)
- Processing is unlawful but individual opposes erasure
- Controller no longer needs data but individual needs it for legal claims
- Individual has objected (pending verification of grounds)
Effect: Data can only be stored, not further processed (with limited exceptions).
Right to Data Portability (Article 20)
Individuals can:
- Receive their data in a structured, commonly used, machine-readable format
- Transmit that data to another controller
- Have data transmitted directly where technically feasible
Applies when: Processing is based on consent or contract AND carried out by automated means.
Right to Object (Article 21)
Individuals can object to processing based on:
Legitimate interests or public task:
- Controller must stop unless compelling legitimate grounds exist
- Individual must be informed of this right at first communication
Direct marketing:
- Absolute right to object
- Processing must stop immediately
- Must be explicitly brought to attention
Rights Related to Automated Decision-Making (Article 22)
Individuals have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.
Exceptions:
- Necessary for contract
- Authorised by law
- Based on explicit consent
Safeguards required: Right to human intervention, to express views, to contest decision.
GDPR Compliance Checklist
Governance and Accountability
Leadership and Responsibility
- Assign data protection responsibilities at board level
- Appoint Data Protection Officer if required
- Establish data protection governance structure
- Allocate adequate resources for compliance
Policies and Procedures
- Develop comprehensive data protection policy
- Create procedures for handling data subject requests
- Establish data breach response procedures
- Document retention and deletion policies
Training and Awareness
- Conduct regular staff training on data protection
- Provide role-specific training where needed
- Maintain training records
- Foster culture of privacy awareness
Data Inventory and Mapping
Record of Processing Activities
- Document all processing activities (Article 30)
- Identify purposes and legal bases
- Record data categories and data subjects
- Document recipients and transfers
- Specify retention periods
Data Flow Mapping
- Map data flows within organisation
- Identify third-party data sharing
- Document international transfers
- Assess data minimisation compliance
Legal Basis and Consent
Lawful Basis Assessment
- Identify lawful basis for each processing activity
- Document legitimate interest assessments
- Review existing consents for GDPR compliance
- Implement mechanisms to capture valid consent
Consent Management
- Ensure consent is freely given, specific, informed, unambiguous
- Provide easy withdrawal mechanisms
- Keep records of consent
- Review and refresh consent where necessary
Privacy Information
Privacy Notices
- Review and update all privacy notices
- Ensure notices contain all required information
- Make notices clear, concise, and accessible
- Provide notices at appropriate times
Transparency
- Communicate processing activities clearly
- Respond to data subject enquiries
- Maintain accessible privacy information
Data Subject Rights
Request Handling
- Implement procedures for each right
- Train staff on recognising and handling requests
- Establish identity verification processes
- Meet response deadlines (one month)
System Capabilities
- Ensure systems can locate all data about an individual
- Enable data export in portable formats
- Implement erasure capabilities
- Support restriction of processing
Data Security
Technical Measures
- Implement appropriate encryption
- Control access to personal data
- Secure data in transit and at rest
- Implement logging and monitoring
Organisational Measures
- Conduct regular security assessments
- Implement security policies
- Control physical access
- Manage removable media
Incident Response
- Establish breach detection capabilities
- Create breach response procedures
- Implement 72-hour notification process
- Document all breaches (including non-reportable)
Third-Party Management
Processor Selection
- Assess processor compliance capabilities
- Conduct due diligence before engagement
- Document selection criteria and decisions
Contracts
- Include all required Article 28 provisions
- Define subject matter, duration, nature, purpose
- Specify controller instructions
- Address sub-processing requirements
- Include audit rights
Ongoing Oversight
- Monitor processor compliance
- Conduct periodic reviews
- Address non-compliance promptly
International Transfers
Transfer Mechanisms
- Identify all international transfers
- Implement appropriate transfer mechanisms
- Conduct Transfer Impact Assessments
- Document supplementary measures where needed
Adequacy and Safeguards
- Verify adequacy decisions
- Implement Standard Contractual Clauses
- Consider Binding Corporate Rules for intra-group transfers
Risk Assessment
Data Protection Impact Assessments
- Identify processing requiring DPIA
- Conduct DPIAs before high-risk processing
- Document assessment and outcomes
- Consult supervisory authority if needed
Ongoing Risk Management
- Regularly review processing risks
- Update risk assessments after changes
- Implement risk mitigation measures
GDPR Penalties and Enforcement
Administrative Fines
GDPR establishes a two-tier penalty structure:
Lower tier (up to EUR 10 million or 2% of global turnover):
- Violations of controller/processor obligations
- Certification body violations
- Monitoring body violations
Upper tier (up to EUR 20 million or 4% of global turnover):
- Violations of processing principles
- Violations of data subject rights
- Unlawful international transfers
- Non-compliance with supervisory authority orders
Factors Affecting Fine Amounts
Supervisory authorities consider:
- Nature, gravity, and duration of infringement
- Intentional or negligent character
- Actions taken to mitigate damage
- Degree of responsibility (technical and organisational measures)
- Previous infringements
- Cooperation with supervisory authority
- Categories of personal data affected
- How infringement became known
- Adherence to approved codes of conduct or certifications
- Any other aggravating or mitigating factors
Other Enforcement Powers
Supervisory authorities can also:
- Issue warnings and reprimands
- Order compliance with data subject requests
- Order rectification, restriction, or erasure
- Suspend data flows to third countries
- Impose temporary or permanent processing bans
Compensation Claims
Data subjects can claim compensation for:
- Material damage (financial loss)
- Non-material damage (distress, harm to reputation)
Claims can be brought against controllers and processors.
Common Compliance Mistakes
Relying on Consent When Other Bases Apply
Problem: Using consent as default when processing is actually necessary for contract or legitimate interests.
Impact: Creates unnecessary administrative burden and risk of processing becoming unlawful if consent withdrawn.
Solution: Carefully assess appropriate lawful basis for each processing activity.
Inadequate Privacy Notices
Problem: Privacy notices that are incomplete, unclear, or hidden.
Impact: Fails transparency principle; may invalidate consent.
Solution: Review notices against Article 13/14 requirements; use clear, accessible language.
Ignoring Data Minimisation
Problem: Collecting more data than necessary "just in case."
Impact: Violates data minimisation principle; increases risk exposure.
Solution: Critically assess necessity of each data element; implement collection limits.
Weak Processor Oversight
Problem: Failing to conduct due diligence or monitor processors.
Impact: Controller remains liable for processor failures.
Solution: Implement processor selection criteria, contractual requirements, and ongoing monitoring.
Inadequate Breach Response
Problem: No clear procedures for detecting and responding to breaches.
Impact: May miss 72-hour notification deadline; increased regulatory scrutiny.
Solution: Establish clear detection, assessment, and notification procedures.
Learn more: Our incident response service helps organisations prepare for GDPR breach notifications within the 72-hour deadline.
Missing Records of Processing
Problem: No documentation of processing activities.
Impact: Cannot demonstrate compliance; difficult to respond to regulatory enquiries.
Solution: Create and maintain comprehensive Article 30 records.
Conclusion
GDPR compliance is not a one-time project but an ongoing programme that requires continuous attention and adaptation. Organisations that embed data protection into their culture and operations will find compliance becomes easier over time while building trust with customers, employees, and partners.
Key success factors include:
- Leadership commitment to data protection as a business priority
- Clear accountability with defined roles and responsibilities
- Systematic approach to identifying and managing processing activities
- Regular review of compliance measures and their effectiveness
- Staff awareness through training and communication
- Documentation of decisions, assessments, and activities
The investment in GDPR compliance delivers benefits beyond regulatory adherence, including enhanced customer trust, improved data quality, reduced risk exposure, and competitive advantage in privacy-conscious markets.
Related Articles
- Data Protection Officer Guide - Learn about DPO requirements and responsibilities
- NIS2 Compliance Checklist - Cybersecurity requirements that complement GDPR
- GDPR Compliance for Non-EU SaaS - Special considerations for international organisations
Get Expert Help
Need support with GDPR compliance? Vision Compliance helps organisations build and maintain effective data protection programmes.
- Data Protection & GDPR Services - Comprehensive GDPR compliance support
- Contact us - Schedule a free consultation