GDPR Compliance: What Companies Need to Know

Yulia Landbo

Yulia Landbo

Last updated: Nov 27, 2023 6 min read

This guide will delve deeper into the specifics of this data protection law, explaining what GDPR is, its founding principles, its enforcement date, its main concepts, and the roles involved. We'll also provide what's most valuable: a step-by-step guide on how businesses can ensure GDPR compliance with this law.

GDPR Basics

First, let's demystify this acronym and explore some details of the concept.

What Is GDPR?

The General Data Protection Regulation (GDPR) is a privacy and security regulation in the European Union law setting the guidelines for collecting, processing, storing, and transferring personal data of individuals living in the European Economic Area. 

This data protection law is considered one of the strictest globally. Even though this law is enforced within the European Union, it also obligates businesses worldwide to comply. GDPR enforcement is triggered when a company begins interacting with the personal data of EU users in a manner that breaches any of its numerous clauses.

GDPR Breaches and Fines as a Result of Non-compliance

The complexity and extensive nature of this hundred-page document, paired with severe penalties, make General Data Protection Regulation compliance a significant challenge. Even with the aid of specialized software tools, this regulation has proved to be a considerable revenue source for the EU, contributing at least $4 billion from 1,653 penalty incidents.

Under Art. 83, violating the fundamental principles of personal data protection stipulated in GDPR can lead to severe penalties of up to $20 million, or up to 4% of the company's global yearly revenue. This latter option can be substantially higher in some cases, as demonstrated by the fines on Meta and Amazon.

Infringements relating to the control, processing, certification, and monitoring activities can lead to fines of up to $10 million or up to 2% of the company's annual revenue.

When Does GDPR Apply And When Doesn’t

Both art. 2 and art. 3 define the material and territorial scope of the GDPR appliance.

GDPR covers all companies or any other entities which process personal data (we’ll talk about this concept a bit below) of citizens or residents of the European Union or European Economic Area, offering them products or services. No matter where your business is located, which jurisdiction it belongs to, or whether these products or services are paid.

There are several cases where GDPR isn’t applicable:

Personal Data As a Key GDPR Concept

An integral part of the GDPR law which we already mentioned above is personal data. Let’s define this concept and review the main types of personal data under the General Data Protection Regulation. You can find this and other essential definitions in Art. 4.

Personal Data Definition Under GDPR

Personal data under GDPR is any information related to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.

In other words, personal data is any information that can be attributed to an identifiable person, including address, name, e-mail, phone number, personal taxation number, photos, etc. As you can see, this can include a wide array of different types of information. Let’s review them in the next block.

Categories of Personal Data

Generally, all the personal data covered by GDPR can be divided into two categories — regular data and special (or sensitive) data.

Regular Personal Data

When a piece of personal data can be attributed, directly or indirectly, to a natural person who can be identified or already identified, this personal data is considered regular. This category of personal data consists of:

Special, or Sensitive Personal Data

There are several types of more sensitive personal data that require better protection. The rule of thumb is to process data only upon special conditions occurrence, such as special consent from the subject, or request from a legal authority. Below are the main sensitive data categories:

Criminal information on convictions and offenses is also considered personal data under the General Data Protection Regulation. This information can be processed by public data controllers only in case of its strict necessity for public or regulatory tasks. The only reasons for the disclosure of this data are explicit consent from the data subject and the safeguarding of private or public interests which are overwhelming over secrecy and privacy.

Understanding Key GDPR Roles

We’ve already mentioned an entity called “Data subject” and left it without explanation. Now it’s time to review this and other key roles within GDPR in order to understand them and stay GDPR-compliant.

Data Subjects

As you might already guess, the data subject is simply a natural person who is identifiable or already identified and whose personal data is collected and processed. A natural person here means a living individual, not a legal person (which is a company or any other organization). 

Data Subject Rights

Being an integral role in GDPR, the data subject has some specific rights. These rights must be upheld by organizations collecting, storing, or processing their personal data.

  1. Right to access. Once any personal data is being processed, its subject has the right to become aware of the fact of processing, its place and purpose, as well as to receive a copy of all the processed data for free.

  2. Right to rectification. This right means data subjects are able to ask for corrections or completion of their personal data in cases it is incorrect or incomplete.

  3. Right to be forgotten. Data subjects have the right to ask for the deletion of their personal data in certain circumstances.

  4. Right to restrict processing. Similarly, subjects also have the right to restrict the processing of their personal data in some cases

  5. Right to data portability. Data subjects are always allowed to request their personal data in a machine-readable form, as well as to move the data to another provider.

  6. Right to object. Processing personal data solely for marketing purposes initially requires special consent from the data subject. And vice versa, data subjects have the right to object to the processing of their personal data for marketing purposes, at any moment.

  7. Right related to automated decision-making, including profiling. Data subjects can prevent others from making decisions related to them, based on automated personal data processing, including profiling. However, this right holds true only when such decisions affect them significantly or produce any legal effects.

Data Controller 

The next essential role is the data controller — a natural or legal person, including public authorities and agencies, determining the purposes and means of personal data processing. 

The main responsibility of this role is to take effective measures in order to ensure the processing complies with GDPR and to demonstrate it to data subjects. The selected measures must be based on different processing parameters, including their scope, nature, goals, background, and risks.

Controllers can unite their efforts, which are called joint controllers. Such controllers must distribute their responsibilities transparently, setting a special arrangement for this purpose.

Data Processor

Data controllers often rely on third-party data subjects' arsenal in terms of personal data processing. Within the General Data Protection Regulation, these subjects are called data processors.

The main selection criterion is that data processors must be able to set everything up to adhere to the regulatory requirements in full. And the duty of the data controller is to ensure it. Another important requirement is that the processor cannot engage any other processor without written permission issued by the data controller. If the permission is general, the processor must also notify the controller about any intended changes in terms of adding or replacing any data processors.

Data Protection Officer (DPO)

Quite often, the processing of personal data requires an additional role of the data protection officer (DPO). This is a person who must be appointed by the data controller or processor in order to assist in ensuring GDPR compliance. There are three situations when DPO is required:

  1. When public authorities (except courts) play the role of the controller, processor, or both.

  2. When the processing is tied to large-scale monitoring of data subjects within special categories or criminal information.

  3. When the core activities require regular monitoring of data subjects on a large scale.

There are some significant nuances in DPO usage regulated by GDPR. First of all, several data controllers and data processors can appoint a single DPO in case the specialist will be able to access their data remotely. Second, the officer should be appointed based on professional skills. Third, they can be whether an in-state employee or external service provider.

You can find more important details related to data protection officers in the Art. 37.

Other Important GDPR Concepts Explained

As we said before, General Data Protection Regulation is complex and comprehensive, so it has various legal terms that we should unscramble here. As the main roles are defined, let’s continue with the other concepts that are not less important.

Data Processing 

Under GDPR, to process data means a specific operation or set of operations, performed on personal data. GDPR defines the list of such operations, including

Data Protection

Simply put, data protection means a set of measures for keeping the data safe from any unauthorized access. The idea is to follow the seven main data protection and accountability principles depicted in the next block.

Seven GDPR Data Protection Principles

The data protection principles mentioned above and outlined in Art. 5 are an integral part of the philosophy the regulation is based on. These principles must be strictly followed by those who process personal data.

  1. Lawfulness, Fairness, and Transparency. Personal data must be processed lawfully, fairly, and in a transparent manner, in relation to the data subject.

  2. Purpose Limitation. Personal data must be collected only for previously specified, explicit, and legitimate purposes. 

  3. Data Minimization. Apart from being relevant and adequate, the data you’re referring to must be in an amount not more than necessary.

  4. Accuracy. You must ensure that the personal data is accurate and up-to-date, immediately rectifying all the outdated pieces or deleting them if it’s unable to rectify. 

  5. Storage Limitation. Do not store personal data collected longer than you need under your overarching purpose.

  6. Integrity and Confidentiality. You must ensure the data collected cannot be identified, stolen, lost, destroyed, damaged, or unlawfully processed by third parties.

  7. Accountability. The data-controlling person must be able to demonstrate their adherence to all the principles above.

Biometric Data

Identification of a natural person is also possible through analysis of some behavioral, physical, or physiological features of this person. For instance, it could be fingerprints, face images, or iris scans. Under the General Data Protection Regulation, these features are called biometric data. 

As the other types of sensitive personal data, biometrics require additional protection measures. Generally, this means a prohibition of processing the biometric data for a single purpose of data subject identification. There is, however, a string of exceptions, from having explicit consent of the data subject to substantial public interest. You can find a full list in the Art. 9.

International Data Transfers

GDPR considers international data transfers as all the transfers of personal data to or from a country outside the European Economic Area (EEA). 

The general requirement for all international transfers is that they may only be carried out in full GDPR compliance. This means the level of protection must be kept at the required level and some conditions must be met:

Protection by Design

GDPR encourages organizations operating with personal data to think about proper measures for personal data protection right from the earliest stage of the product or service development lifecycle. 

In other words, these privacy measures should be incorporated into their design specifications, business processes, and work environment. These privacy measures should effectively protect users' personal data by limiting its collection, accessibility, and retention time, as well as ensuring data accuracy.

Data Protection Impact Assessment

As the fines for breaching GDPR compliance are enormous, it’s crucial to analyze, detect, and mitigate data protection risks. The systematical process of GDPR non-compliance risk management is called data protection impact assessment (DPIA). 

Art. 35 describes three cases when DPIA is required:

You should conduct DPIA even before starting to process data and then review and update it on a regular basis. 

Maintaining Records of Processing Activities

One of the crucial duties of data controllers is maintaining a record of their processing activities. Every single record must contain the following pieces of data:

You can find a complete list of requirements for records maintenance in Art. 30.

How Businesses Can Stay GDPR-Compliant

Now, it’s time to form your own successful GDPR compliance checklist within your organization. You can use this one as a base and modify it to your needs along the way.


This article was developed for information purposes only. For legal advice, contact your trusted advisor. Alternatively, Whistleblower Software can connect you with a local legal expert.

Book a demo

5/5 stars on G2