What is GDPR compliance: A comprehensive guide

scrabble pieces spelling regulation

GDPR, or the General Data Protection Regulation, sets the bar for privacy and data protection worldwide. Complying with GDPR means ensuring that personal data is processed lawfully, transparently, and securely.

GDPR came into effect in 2018, significantly changing how organizations manage personal data. GDPR empowers individuals (particularly EU citizens) to control their data. GDPR compliance is vital for organizations that process personal data, as it safeguards the data, ensures transparency in data handling, and adheres to recognized global data protection norms.

Key takeaways

  • GDPR significantly enhances personal data protection, requiring organizations to handle data lawfully, transparently, and with consent from individuals, impacting both EU and non-EU businesses.
  • GDPR compliance involves adhering to key principles such as data minimization, integrity, and confidentiality while granting individuals rights like access, rectification, and erasure of their data.
  • Organizations must develop action plans for GDPR compliance, appoint a Data Protection Officer and/or EU Representative if necessary, manage third-party risks effectively, and be prepared for data breaches with alert notifications and possibly face severe penalties for noncompliance.

Key components of GDPR

Understanding the key components of GDPR is central to achieving compliance. These key components include:

  • Data protection principles
  • Data subject rights
  • Data processing requirements

Under GDPR, it’s important to limit data collection to what is necessary for the purposes for which it is processed. Organizations that gather personal data must ensure its accuracy and timely updates to maintain data integrity and dependability.

Moreover, GDPR bestows individuals with the right to control their personal data, including access to data, data rectification, and the right to erasure. The roles of a Data Controller and a Data Processor are also crucial components of GDPR. The Data Controller is responsible for determining the methods and purposes of processing personal data, while the Data Processor is tasked with the maintenance and processing of personal data records.

Data protection principles

GDPR outlines seven principles that govern data protection:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

These requirements apply to all types of personal data and play a crucial role in ensuring data privacy and GDPR compliance. They are designed to safeguard personal data, protect the rights of individuals, and ensure that their personal data is handled responsibly.

The concept of data protection by design and by default is integral to these principles. It involves integrating data protection into processing activities and business practices right from the design stage and throughout the entire data processing lifecycle. The objective is to ensure that organizations selectively gather, handle, and retain solely the essential personal data required to deliver an agreed-upon service and impose safeguards when necessary, such as obtaining consent prior to disclosing personal data to a third party.

In addition, organizations are required to implement suitable technical and organizational measures to guarantee a level of security commensurate with the associated risks. These measures should safeguard personal data from:

  • Unauthorized or unlawful processing
  • Accidental loss
  • Destruction
  • Damage

Data subject rights

Under GDPR, data subjects are endowed with eight specific rights:

  1. The right to be informed
  2. The right of access
  3. The right of rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making and profiling

These rights empower individuals, giving them control over their personal data.

A formal request made by an individual to a company seeking information that the company holds about them is known as a Data Subject Access Request (DSAR). Organizations are obligated to respond to these requests within one month as per GDPR. Managing DSAR requests entails overseeing the complete request workflow, from initial intake to fulfillment, and ensuring adherence to GDPR’s privacy rights regulations.

Data processing requirements

Under GDPR, organizations must fulfill strict personal data processing requirements. To process personal data, it is necessary to obtain explicit consent from the data subject, which should be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous

This consent indicates the data subject’s agreement to the processing of their personal data. 

Additionally, organizations are required to document processing activities in their records of processing activities and conduct a Data Protection Impact Assessment (DPIA) to evaluate the risk to individuals.

GDPR countries

GDPR applies to the processing of EU residents’ personal data by any organization (including U.S. and Canadian organizations), regardless of where data processing occurs.


Flags of GDPR countries in the European Union on display
Recommended reading
Which countries are covered by GDPR?
Which countries are covered by GDPR icon-arrow-long

European Union (EU) member states covered by GDPR

The General Data Protection Regulation (GDPR) is a data protection and privacy regulation that applies to the European Union (EU). The EU countries covered by GDPR include:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden

EEA countries also covered by GDPR

GDPR applies to the European Economic Area (EEA), which includes all EU countries listed above plus:

  • Iceland
  • Liechtenstein
  • Norway

Learn more about GDPR countries here.

Assessing your organization’s GDPR compliance

To determine if your organization is subject to GDPR, you need to analyze its material and territorial scope. The material scope of GDPR encompasses the regulation of an organization’s processing activity. This involves ascertaining whether the controller or processor has an establishment in the EU/EEA and if the processing of data is conducted wholly or partly by automated means.

The territorial scope of GDPR is determined based on the following criteria:

  • Presence of an establishment in the EU
  • Offering goods or services to data subjects in the EU
  • Monitoring the behavior of data subjects in the EU, irrespective of whether payment is required.

Determining Data Controller/Data Processor applicability

After determining if your organization is subject to GDPR, you will then need to validate if the nature of your data processing activities related to personal data designates the organization as a Data Processor, Data Controller, or both. Organizations who are unsure of this designation should consult internal or third-party legal counsel to validate applicability.

Maintaining a data and asset inventory

The GDPR is applicable to all systems that maintain or transfer personal data of data subjects including (but not limited to) Cloud Service Providers (CSPs) (i.e. AWS, GCP, Azure, etc.), productivity suites (i.e. Microsoft Office 365, Google Workspace, etc.) HRIS tools (i.e. Rippling, Gusto, etc.) Your organization should maintain an accurate data and asset inventory that defines all locations where personal data resides or is transferred, including any personal data that is maintained for employees of the organization that reside in the EU.Appointing a Data Protection Officer (DPO)

The Data Protection Officer (DPO) plays a crucial role in GDPR compliance. They help an organization by:

  • Monitoring internal compliance
  • Offering guidance and advice on data protection obligations
  • Providing recommendations on Data Protection Impact Assessments (DPIAs)
  • Serving as a point of contact for data subjects and data protection authorities

According to Article 37 of the GDPR, a DPO must be appointed in the following cases:

  • Public authorities or bodies: This includes entities at the national, regional, or local level, such as government departments, agencies, or public organizations.
  • Organizations engaged in large-scale systematic monitoring of individuals: This involves activities where data processing is performed on a large scale, particularly when the processing includes tracking behavior online or offline.
  • Organizations engaged in large-scale processing of special categories of data or data relating to criminal convictions and offenses: Special categories of data (previously known as sensitive data) include information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
  • Other cases where required by member state law: Member states may introduce additional requirements for the appointment of a DPO based on their specific laws and regulations.

The selection of a DPO usually involves evaluating their professional attributes, experience, and specialized expertise. Organizations may engage an external DPO or designate an internal candidate with a strong understanding of enterprise operations.

Managing third-party data under GDPR

Effective vendor risk management and compliance with cross-border data transfer regulations are required to manage third-party data under GDPR. GDPR mandates the evaluation of third-party data protection measures, the reduction of information security vulnerabilities, and the establishment of suitable contracts with third-party entities.

Organizations must establish procedures for incident reporting and breach management to adhere to the 72-hour notification deadline to authorities and to inform affected data subjects in cases where there is a significant risk to their rights and freedoms.

Vendor risk management

Vendor risk management under GDPR encompasses the evaluation and reduction of risks linked to third-party vendors to guarantee their adherence to GDPR. Organizations should undertake a thorough assessment of the risks posed by each vendor and verify the presence of sufficient controls to mitigate those risks. Additionally, auditing their data handling practices is essential to confirm compliance.


Recommended reading
Thoropass introduces industry's only fully customizable and customer-centric risk management solution
Thoropass introduces industry's only fully customizable and customer-centric risk management solution icon-arrow-long

Effective methods in vendor risk management for GDPR compliance involve identifying and mitigating information security threats, as well as preventing data breaches through the implementation of a robust vendor risk management strategy.

Cross-border data transfers

Cross-border data transfer is another aspect of managing third-party data under GDPR. Organizations are required to thoroughly examine and confirm the presence of suitable mechanisms for cross-border data transfer. 

The GDPR mandates an equivalent level of protection for personal data being transferred outside of the European Economic Area (EEA). An adequacy decision denotes the European Commission’s determination that a third country or international organization provides a sufficient level of data protection. Some suitable mechanisms for cross-border data transfer include:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Codes of Conduct and Certification Mechanisms
  • Derogations for specific situations

By implementing these mechanisms, organizations can ensure that they are compliant with GDPR regulations regarding cross-border data transfer.

Standard Contractual Clauses (SCCs) impose obligations on the data exporter and the data importer, and grant rights to the data subjects. They are widely utilized as a safeguard for cross-border data transfer under GDPR.

Handling data breaches and noncompliance penalties

Organizations are required to promptly report data breaches to the appropriate supervisory authority within 72 hours, as stipulated by GDPR. 

Furthermore, in cases where a data breach is expected to present a significant risk to the rights and freedoms of individuals, organizations must also inform the affected data subjects. Failure to comply with these requirements can lead to substantial fines and penalties.

Breach notification requirements

In the event of a data breach, organizations are required to:

  • Notify the appropriate supervisory authority within a timeframe of 72 hours in accordance with GDPR regulations
  • Include specifics concerning the personal data breach, its impact, and the corrective measures implemented
  • Provide a delineation of the breach’s nature
  • Include the identification and contact information of the data protection officer or an alternative contact point
  • Outline the strategies for informing affected data subjects, law enforcement, and supervisory authorities

Failure to adhere to these requirements can result in substantial fines and penalties.

Learn more about GDPR breach management here.

Fines and penalties

Noncompliance with GDPR can result in significant fines and penalties.  Fines under GDPR are determined based on factors such as the severity of the breach and the number of affected data subjects. The fines are intended to be effective, proportionate, and dissuasive.

Learn more about GDPR penalties here.

Achieving and maintaining GDPR compliance

To achieve GDPR compliance, organizations should follow these steps.

  • Understand the regulation and its requirements, including the 7 GDPR principles.
  • Identify the personal data they collect and process.
  • Implement appropriate security measures to protect this data.

Finally, organizations should train their staff on GDPR compliance, ensuring that everyone involved in data processing activities is aware of their responsibilities and obligations under the regulation.

Developing an action plan

A comprehensive action plan acts as a guide to GDPR compliance. It involves raising awareness, fostering alignment, and implementing essential steps such as information mapping, data audit, and privacy communications. Furthermore, the action plan enables organizations to build increased trust and credibility, and gain a deeper understanding of their data collection and usage practices.

A GDPR compliance action plan should include steps such as: 

  • Raising awareness and creating alignment
  • Conducting information mapping and data audit
  • Issuing notices and privacy communications
  • Defining the Personal Data Policy and other top-level documents
  • Creating an inventory of processing activities

Prioritizing actions in your GDPR compliance plan involves a two-step process outlined in a practical guide, and it is advisable to adhere to best practices, including appointing a data protection officer, classifying all data, and completing a privacy impact assessment.

Your path to GDPR Compliance with Thoropass

Okay, that may have been a scary read. If we’ve got your attention, let us now offer some reassurance. 

Chat with our compliance experts: A free 15-minute AMA 

Let’s chat. Connect with a compliance expert to find out how GDPR applies to your business — no strings attached. Book a chat here.

Our 5-step approach makes GDPR a cinch (okay, not quite a cinch, but as easy as it can get!)

  • STEP 1: Kick-off. After a deep dive into data privacy, our experts walk you through your GDPR compliance roadmap
  • STEP 2: Onboarding. Get up and running with GDPR policy templates, automated vendor discovery, and clear action items
  • STEP 3: Implementation. Efficiently implement and operationalize GDPR with guided workflows, automation, and support from our experts
  • STEP 4: GDPR assessment (or self-assessment) and reporting. As a third party, Thoropass delivers a transparent full assessment and report to share with customers and prospects
  • STEP 5: And beyond… Leverage our extensive platform to add frameworks, renew attestation, and ensure continuous compliance

Learn more here!

More FAQs

GDPR fines can be issued by national data protection authorities, with penalties up to €20 million or 4% of annual global turnover, whichever is higher. These fines serve as a stark reminder to organizations of the importance of GDPR compliance and the potential consequences of non-compliance.

Organizations must take steps to ensure that they are compliant with GDPR regulations or risk fines, loss of reputation, or other regulatory sanctions.

A legitimate interest is when a company/organization processes personal data to fulfill its legitimate interests or the interests of third parties, as long as this does not outweigh an individual’s rights and freedoms. Such activities include maintaining customer relationships, direct marketing, fraud prevention, and ensuring the security of IT systems.

These activities must be balanced against the individual’s rights and freedoms, and the company/organization must be able to demonstrate that the processing is necessary and proportionate. This means that the company/organization must be able to show that the processing is necessary for the legitimate interests pursued.

While GDPR does not directly apply to the United States, it may still impact U.S.-based organizations that handle the personal data of individuals within the EU/EEA. GDPR has extraterritorial reach, meaning that if a U.S. company offers goods or services to individuals in the EU/EEA or monitors their behavior, it may be subject to GDPR’s requirements.

To comply with GDPR, U.S.-based organizations may need to implement measures such as obtaining appropriate consent for data processing, ensuring data security, respecting individuals’ rights, and complying with data breach notification obligations, among other provisions. Many organizations have taken steps to align their practices with GDPR to facilitate international data transfers and maintain good data protection practices.

It’s important to note that the United States has its own data protection laws at the federal and state levels, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA), which regulate specific sectors or aspects of data protection. However, these laws are separate from GDPR and have their own scope and requirements.

Companies have various responsibilities under GDPR, including adhering to data protection principles, reporting breaches, and appointing a Data Protection Officer (DPO) if necessary. Organizations must ensure that they are processing personal data lawfully, fairly, and transparently and that they are taking the necessary steps to protect the data from misuse and exploitation.

The data controller must also ensure that they are collecting data for specified, explicit, and legitimate purposes.

An EU Representative should be assigned by your organization if the following criteria are met:
Your organization is not based in the EU, but provides goods or services and/or processes personal data of data subjects who reside in the EU

Your organization handles, processes, or stores personal data on a “large scale” OR your organization processes special categories of personal data*

Organizations who are unsure of this designation should consult internal or third-party legal counsel to validate applicability.

*Special categories of data under the GDPR are:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Health-related data
  • Data concerning a person’s sex life or sexual orientation

Not all organizations need a DPO, but it depends on the scale and nature of data processing activities. According to Article 37 of the GDPR, a DPO must be appointed in the following cases:

  • Public authorities or bodies: This includes entities at the national, regional, or local level, such as government departments, agencies, or public organizations.
  • Organizations engaged in large-scale systematic monitoring of individuals: This involves activities where data processing is performed on a large scale, particularly when the processing includes tracking behavior online or offline.
  • Organizations engaged in large-scale processing of special categories of data or data relating to criminal convictions and offenses: Special categories of data (previously known as sensitive data) include information related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person’s sex life or sexual orientation.
  • Other cases where required by member state law: Member states may introduce additional requirements for the appointment of a DPO based on their specific laws and regulations.

Public authorities and bodies, including the data protection authority, are also required to appoint a DPO. In some cases, it is often a best practice to have a DPO, or it may be required by a contractual obligation with a customer or vendor.


Share this post with your network:

LinkedIn