Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Oct 23, 2023   |   Toby Bristow

What is GDPR compliance? Requirements, principles, and everything you need to know

Go back

GDPR compliance is necessary for all organizations that collect and process personal data on European Union (EU) citizens. Maintaining compliance is necessary to avoid fines and penalties levied by the EU. 

This guide discusses GDPR’s underlying principles, the terminology used in the regulation, and the compliance requirements that organizations must follow.

cyber security lock pad and digits

Image by Tumisu from Pixabay

In this article:

What is GDPR?

The European Union’s General Data Protection Regulation (GDPR) was adopted by its member states in 2016. It was developed to replace the 1995 Data Protection Directive, which was used in some European nations.

The GDPR was designed to address data privacy concerns as the growth of the Internet made the digital exchange of information more common. The regulation was put into effect on May 25, 2018, and is considered to be the strongest data privacy law in the world.

The GDPR’s primary purpose is to protect the personal data of EU citizens. The regulation defines the circumstances under which personal data can be collected and processed, the steps organizations must take to comply with the regulation, and the rights of data subjects.

The GDPR originally applied to all the EU member states. While the United Kingdom (UK) left the union in January 2020, it has incorporated the provisions of the EU GDPR into law as the UK GDPR. It is essentially the same regulation with changes made to address domestic laws.

fingers typing on laptop glenn carstens peters

Photo by Glenn Carstens-Peters on Unsplash

What are the GDPR’s seven core principles?

The following seven core principles are at the heart of GDPR data protection. All organizations that collect, process, and store the personal data of EU citizens are required to follow these guidelines to comply with GDPR.

Lawfulness, fairness, and transparency

Collecting personal data must be for a lawful reason and cannot be used for any illegal purpose. Data subjects need to understand how their personal data will be used. We look more closely at the lawful reasons for data collection and processing later in this guide.

Purpose limitation

This principle limits the purposes for which personal data can be used by a data controller. Data subjects must understand why their personal data is being collected and what will be done with it. Individuals can decide whether to provide the requested data to a data controller or processor.

Data minimization

Data controllers are required to collect the minimum amount of data to meet their purpose. The collected data must be adequate, relevant, and limited to serve the purposes of the data controllers. Organizations are forbidden to collect additional personal data elements to be used at a later time for a different purpose.

Data accuracy

Organizations must ensure the accuracy of the data they collect and process by implementing the appropriate technical and administrative processes. Data subjects have the right to correct any inaccuracies found in their collected personal information.

open laptop on glass table carlos muza

Photo by Carlos Muza on Unsplash

Storage limitation

Personal data can only be stored for the length of time required to fulfill the explicit purposes of the data controller. The timeframe an organization retains data must be justified and keeping it any longer is a compliance violation. In cases where the data is being used for research, archiving, or statistical analysis, it can be retained for extended periods.

Integrity and confidentiality

Appropriate and sufficient security measures are required to be in place to restrict the unauthorized use of personal data and to prevent data breaches. Collected personal data must be recoverable to restore its availability if it is lost or destroyed.


The last principle requires accountability from all entities involved in processing personal data. They must meet compliance standards and produce documented evidence of compliance measures when necessary.

What does the GDPR consider personal data?

Personal data is defined in GDPR Article 4 as any information relating to an identified or identifiable natural person known as the data subject. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of personal data elements subject to GDPR protection include:

  • An individual’s first and last name
  • An individual’s home address
  • IP addresses of an individual’s computer or WiFi router
  • Identification numbers such as on a driver’s license
  • Medical records that can be used to uniquely identify an individual

Sensitive personal data is a special category of personal information defined in Article 9 of the GDPR. This data must be processed more securely than other personal data due to its sensitive nature and the fact that it can potentially be used to discriminate against individuals.

Categories of sensitive data include:

  • An individual’s racial or ethnic origin
  • Political, religious, or philosophical beliefs
  • Genetic data
  • Biometric data that can uniquely identify an individual
  • Health-related data
  • Information about a person’s sex life or sexual orientation
hands exchanging card through computer

Image by Bruno from Pixabay

When can personal data be collected and processed?

Article 6 of the GDPR explicitly defines the lawful reasons for which personal data can be collected and processed. At least one of the following reasons must apply for the collection and processing of personal data to be considered lawful.

  • The data subject has given consent for their data to be used for specific purposes.
  • Processing is required to fulfill a contract to which the data subject is a party.
  • Processing is necessary to comply with a legal obligation of a data controller.
  • The processing protects the vital interests of the data subject or another natural person.
  • Processing is required to perform a task in the public interest.
  • Processing is necessary to address the legitimate interests of the data controller or a third party as long as these interests are not overridden by the rights of the data subject.

Consent under GDPR needs to be implemented by an opt-in methodology where data subjects must clearly indicate their consent to the collection and processing of their personal data.

What roles does GDPR define?

GDPR defines multiple roles that address different aspects related to the collection and processing of personal data. It is essential to understand the responsibilities of each role to maintain GDPR compliance. The following are the most important roles defined by GDPR.

Data controller

A data controller is the natural person or legal entity responsible for determining the purposes and methods used when processing personal data. Data controllers are key decision-makers and are required to ensure that all actions taken related to personal data comply with the GDPR.

A data controller can be an individual or a company or another legal entity.

GDPR Article 24 defines the data controller’s responsibilities which include:

  • Taking into account the purpose, nature, scope, and context of personal data processing
  • Considering the likelihood of risks that may impinge on the freedom or rights of natural persons in the EU
  • Implementing appropriate technical and organizational measures to protect personal data
  • Reviewing these measures regularly and modifying them when necessary

Data controllers are held to the strictest standards regarding GDPR compliance and are ultimately responsible for data breaches and violations.

Data processor

A data processor is a person or legal entity that processes personal data on behalf of a data controller.

Article 29 of the GDPR defines the limits imposed on a data controller. It states that the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process the data except on instructions from the controller unless required to do so by Union or Member State law.

Data processors must abide by the data controller’s instructions when processing data. If they do not follow these instructions, the processor can be liable for data breaches.

As such, data processors, which are often third parties engaged by data controllers, need to ensure their processes comply with GDPR.

While processors have a reduced level of legal obligations compared to controllers, they still need to ensure the proper measures are in place to protect the rights of data subjects. Both data processors and controllers can be penalized in the event of a data breach based on each entity’s degree of responsibility for the violation.

Data protection officer (DPO)

The data protection officer is responsible for overseeing an organization’s data protection strategy and implementation. A DPO can either be an employee of the data-controlling organization or an external expert but must have the requisite knowledge to ensure compliance with GDPR.

business meeting laptops open scott graham

Photo by Scott Graham on Unsplash

Supervisory authority

A supervisory authority is a public entity in an EU member state that monitors compliance with GDPR. The responsibilities of a supervisory authority include advising companies regarding GDPR, addressing complaints from data subjects, conducting compliance audits, and issuing fines to companies in non-compliance with the regulation.

GDPR representative

GDPR representatives are required to be appointed by companies located outside the EU that are targeting EU citizens. Their role is to ensure compliance and facilitate communication with European data protection authorities.

Data subjects’ rights under GDPR

Data subjects are another role defined in GDPR that warrants a more detailed discussion due to the rights they are afforded by the regulation. These rights must be respected by data collectors and processors to remain compliant with GDPR. These are the rights data subjects can exercise under GDPR:

  • The right to be informed about the personal data that is being collected, its uses, if it will be shared, and how long it will be retained
  • The right of access to their personal data through the submission of a data subject access request to a data controller
  • The right to rectification if a data subject finds collected information to be inaccurate or incomplete
  • The right to the erasure of personal data under certain circumstances
  • The right to restrict how an organization uses a subject’s personal data
  • The right to data portability to enable individuals to use collected data with multiple services
  • The right to object to the purpose for which their personal data is being used
  • Rights regarding the use of data for automated decision-making processes such as profiling
blue cyber network map

Image by Pete Linforth from Pixabay

Who needs to comply with GDPR?

All companies doing business with EU member states or the UK must comply with GDPR if they collect and process personal data. The regulation is designed to protect EU citizens no matter who is collecting and processing their personal data.

Ecommerce and the globalized nature of modern businesses mean that many organizations — even small businesses — outside the EU must comply with GDPR when processing personal data. Simply put, GDPR compliance is the price that must be paid to do business in the EU.

What are the requirements for compliance?

Companies need to successfully address multiple requirements to comply with GDPR. Failure to meet any of these requirements is considered a violation and can result in financial penalties.

Data must be collected and processed lawfully, fairly, and transparently

Organizations can only process personal data with a lawful justification, as outlined earlier in this guide.

Personal data can only be collected for a specific purpose

After data is collected and stored, it can only be used for the specific stated purpose. When data is no longer needed for this purpose, it should be securely deleted.

The rights of data subjects must be protected

The rights of data subjects under GDPR must be respected by data controllers and processors. The rights granted to data subjects by GDPR were also outlined in a previous section of this guide.

Data subject’s consent

Consent for processing personal data is required under certain circumstances. When necessary, it must be obtained following specific guidelines, with individuals deliberately opting in and agreeing to the data collection and processing.

Personal data breaches must be avoided

Organizations must take all necessary measures to avoid data breaches involving personal data. Incidents that result in the unavailability of personal data, such as natural disasters and outages, are considered data breaches by the GDPR.

padlock with binary numbers background

Image by Thomas Breher from Pixabay

Privacy by design

Data collection and processing procedures need to be developed with a privacy-by-design approach. Companies need to implement technical and administrative controls and safeguards to protect the rights of data subjects and enforce GDPR principles.

Data protection impact assessments (DPIA)

A data protection impact assessment is required when processing can result in high risks to personal data. These risks include the monitoring of data subjects in public places and profiling.

Data transfers

Data transfers can only be conducted in approved methods, which will vary based on where the data is located and how it will be moved. This requirement affects data controllers processing personal data outside of the member state in which it is collected.

Naming a data protection officer

Companies required to comply with GDPR should appoint a data protection officer (DPO). The DPO is responsible for advising the organization on how to comply with the regulation and acts as a contact point for questions related to data privacy.

Providing employee training

Employee training on GDPR compliance is required for everyone involved in handling personal data. Training should include a discussion of the preventative measures that can be taken to ensure the protection of the collected data.

business men women sitting around table christina morillo

Photo by Christina Morillo via Pexels

How is GDPR non-compliance enforced?

Non-compliance with GDPR is enforced through the authority of each member state’s data protection authority (DPA).

A DPA is an independent organization that monitors and supervises the application of data protection laws. They have investigative and corrective powers and can levy fines against violating organizations.

The cost of GDPR non-compliance can be substantial, and the framework for fines is defined in Article 83 of the GDPR. The amount of a particular fine is determined by the severity of the violation and the size of the violating organization.

There are two tiers of GDPR fines that depend on the severity of the infringement:

  • Less severe violations can result in fines of up to 10 million euros, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
  • More severe violations can result in heavier fines. The range of fines doubles, with a maximum of 20 million euros or 4% of the firm’s worldwide annual revenue from the preceding financial year.
woman typing laptop outside karolina grabowska

Photo by Karolina Grabowska via Pexels

How does data loss prevention support GDPR compliance?

Protecting the privacy, security, and integrity of collected personal data requires that the appropriate technical and administrative measures are in place. A modern data loss prevention (DLP) solution, such as the Reveal platform by Next, addresses multiple aspects of maintaining GDPR compliance.

Reveal automatically enforces an organization’s data handling policies — which should be developed with GDPR compliance in mind — and helps protect a company from accidental or deliberate mishandling of personal data.

More than this, Reveal categorizes data as it is ingested into the environment so information subject to GDPR standards can immediately be securely protected.

Reveal also offers user training at the point of risk and helps elevate a workforce’s security IQ. A DLP solution can be instrumental in minimizing the possibility of a data breach resulting in serious financial repercussions.

Contact Next today and schedule a demo of Reveal to see how it works with your security stack and provides additional security for your valuable data resources.

Check out the video below for more information on GDPR compliance.

Frequently asked questions

Why are GDPR audits conducted?

While regular audits are not a legal requirement of the GDPR, one may be conducted by a DPA in the wake of a data breach or other regulatory violation. Companies that need to comply with GDPR should institute a program of regular internal audits to ensure they are meeting the requirements for compliance.

How can an EU citizen correct inaccurate collected personal data?

EU citizens can request a copy of the personal data an organization stores on them. The organization must meet the request within one month by providing a free copy of the information in an accessible format. The citizen can then exercise their right to rectification and request that the data controller or processor correct the inaccurate data.

Why was Meta fined for non-compliance with GDPR?

Meta was fined a record $1.3 billion for a violation in the way it transferred data from the EU to the U.S. for processing. The penalty was announced by Ireland’s Data Protection Commission and addresses the differences in the national data privacy laws in various nations. The specific violation involved transferring the data from EU Facebook users to the U.S., where it was to be stored and processed.


See how Next protects your employees and prevents data loss