GDPR

GDPR Requirements Every Business Must Meet

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union in 2018. It established uniform data protection requirements across all member states. The regulation imposes strict obligations on organizations handling personal data of EU residents, requiring them to process data responsibly and securely. Compliance with GDPR involves understanding its six lawful bases, honoring the rights of data subjects, maintaining proper documentation, and implementing robust security and privacy measures. This page provides an in-depth overview of GDPR’s key requirements and best practices for compliance.

Lawful Bases for Data Processing

GDPR requires that all personal data processing activities have a valid lawful basis. There are six lawful bases for processing as defined in Article 6. These bases justify why an organization may collect and use personal data. The choice of lawful basis must be documented and, where applicable, communicated to data subjects.

The six lawful bases include:

  • Consent: The individual has given clear, specific, and informed consent to the processing of their personal data. Consent must be freely given and can be withdrawn at any time. Organizations must record when and how consent was obtained.
  • Contractual Necessity: Processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract. For example, processing a shipping address to deliver goods ordered by the individual.
  • Legal Obligation: Processing is necessary to comply with a legal obligation to which the controller is subject. This could include tax laws or employment laws that require retention of employee data. The obligation must be a law or regulation, not just an internal policy.
  • Vital Interests: Processing is necessary to protect someone’s life or health (the vital interests of the data subject or another person). This basis is applied in emergencies, such as urgent medical scenarios, and generally does not cover routine business processing.
  • Public Task: Processing is necessary for performing a task carried out in the public interest or in the exercise of official authority. This basis typically applies to public authorities executing their duties under law, such as governmental or law enforcement functions.
  • Legitimate Interests: Processing is necessary for the legitimate interests pursued by the controller or a third party, provided these interests are not overridden by the interests or fundamental rights of the data subject. This basis is the most flexible, but requires a careful balancing test and documentation of why the interests prevail.

Data Subject Rights

Under GDPR, individuals are granted a comprehensive set of rights over their personal data. These rights allow data subjects to control how their data is used, to correct or remove it, and to be informed about processing activities. Organizations must facilitate and honor these rights, typically responding within one month of a request.

  • Right to be Informed: Individuals have the right to know how their data is being collected, used, stored, and shared. This is typically fulfilled through clear privacy notices and disclosures at the point of collection. The information must include purposes of processing, retention periods, and the legal basis for processing.
  • Right of Access: Also known as a Subject Access Request (SAR), this right allows individuals to obtain confirmation that their data is being processed and to access that personal data. Organizations should provide a copy of the personal data and details on how it is processed, including categories of data, purposes, and recipients.
  • Right to Rectification: Data subjects can request correction of inaccurate or incomplete personal data held about them. The controller must rectify the data without undue delay, ensuring records are accurate. If the data has been shared with third parties, those parties should also be informed of any corrections.
  • Right to Erasure (Right to be Forgotten): Individuals can request deletion of their personal data when it is no longer necessary for its original purpose, or if consent is withdrawn and there is no other legal basis, among other reasons. Controllers must erase data promptly unless another lawful requirement justifies keeping it (e.g. legal retention laws).
  • Right to Restrict Processing: Instead of full erasure, data subjects may request that processing of their data be restricted (i.e., marked and stored but not further processed). This right can be invoked in specific situations, such as when the accuracy of data is contested or the processing is unlawful but the data subject opposes erasure.
  • Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, machine-readable format. They can also request that the controller transmit this data directly to another controller if technically feasible. This right applies when processing is based on consent or contract and is carried out by automated means.
  • Right to Object: Data subjects can object to processing of their personal data based on legitimate interests or direct marketing. If an objection is made, the controller must stop processing unless they can demonstrate compelling legitimate grounds. There is a specific right to object to direct marketing at any time, which requires immediate cessation of marketing processing.
  • Right not to be Subject to Automated Decision-making: Individuals have the right not to be subject to decisions based solely on automated processing (including profiling) that have legal or similarly significant effects. They can demand human intervention, express their point of view, or contest the decision. Explicit consent must be obtained if automated decisions are carried out.

Key GDPR Articles (5–32)

GDPR’s provisions are detailed across multiple articles that outline principles, rights, and obligations. The core requirements governing compliance are contained in Articles 5 through 32. Important articles include:

  • Article 5: Establishes fundamental data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality).
  • Article 6: Defines the six lawful processing bases (described above) and conditions for lawful processing.
  • Article 7: Specifies conditions for obtaining and documenting valid consent, including the requirement for clear affirmative action.
  • Article 9: Governs processing of special category data (sensitive personal data) and sets stricter conditions, such as explicit consent or necessity for employment law.
  • Articles 12–23: Detail data subject rights and obligations on controllers to honor those rights (information, access, rectification, erasure, restriction, portability, objection, and automated processing rights).
  • Articles 24–32: Define the responsibilities of controllers and processors. These cover accountability (data protection by design and default), security measures (Article 32), breach notification (Articles 33–34), and data protection impact assessments (Article 35).
  • Article 30: Requires controllers and processors to maintain a Record of Processing Activities (RoPA) documenting their data processing operations.
  • Article 32: Specifies requirements for the security of processing, including the implementation of appropriate technical and organizational measures.

Controller and Processor Responsibilities

Under GDPR, a data controller is the entity that determines the purposes and means of processing personal data. A data processor is the entity that processes data on behalf of the controller. Both roles have distinct responsibilities:

Aspect Controller Processor
Definition Determines the purposes and means of processing personal data. Processes personal data on behalf of the controller under contract.
Legal Obligations Must ensure all processing has a lawful basis and comply with all GDPR principles. Must process data only on documented instructions from the controller and implement appropriate security measures.
Processing Agreement Must have a written contract with processors (Article 28) defining the processing details. Required to enter into a contract with the controller and to provide guarantees of data protection.
Record-Keeping Must maintain records of processing activities (RoPA) and other compliance documentation. Must maintain records of categories of processing carried out on behalf of controllers.
Data Breach Notification Responsible for notifying the supervisory authority of breaches and, when required, the affected individuals. Must notify the controller without undue delay after becoming aware of a breach.

Controllers are primarily accountable for complying with GDPR. Processors have direct obligations (Article 28) to secure data and assist controllers with compliance. Both must implement appropriate safeguards, but controllers bear the ultimate responsibility for compliance and for ensuring processor obligations are met.

Data Protection Officer

 

Technical and Organizational Measures (TOMs)

GDPR requires organizations to implement appropriate technical and organizational measures (TOMs) to ensure data security. This means applying controls that protect data from unauthorized access, disclosure, alteration, or destruction. Measures should be in line with the level of risk and the current state of technology (state of the art). Common examples of TOMs include:

  • Encryption and Pseudonymization: Encrypt personal data both at rest and in transit. Use pseudonymization to process data without direct identifiers, enhancing security and privacy.
  • Access Controls: Implement strict access management to ensure only authorized personnel can access sensitive data. Use strong authentication methods (e.g., multi-factor authentication).
  • Security Software: Deploy firewalls, antivirus, and intrusion detection systems to protect networks and systems. Keep software and security patches up-to-date.
  • Data Minimization: Collect and store only the minimum personal data necessary for the processing purpose. Anonymize or delete data that is no longer needed.
  • Backup and Recovery: Maintain regular backups of data and ensure a secure recovery plan is in place in case of data loss or ransomware.
  • Organizational Policies: Develop and enforce data protection policies, incident response plans, and clear procedures for handling data subject requests and data breaches.
  • Training and Awareness: Provide regular GDPR and security training for employees to ensure awareness of data protection obligations and how to handle data safely.
  • Privacy by Design and Default: Incorporate privacy considerations into system and process designs from the outset, and configure default settings to the most privacy-friendly options.

Documentation and Record-Keeping Obligations

GDPR emphasizes accountability, meaning organizations must document compliance efforts. Key documentation obligations include:

  • Record of Processing Activities (RoPA): As per Article 30, controllers (and large processors) must maintain a detailed log of processing activities, including purposes, categories of data subjects, recipients, and retention periods.
  • Consent Records: Document when, how, and why consent was obtained from individuals. Keep records of consent forms and data subject communications.
  • Data Processing Agreements: Maintain written contracts with processors outlining their GDPR obligations.
  • Data Protection Policies: Have a clear privacy policy and internal data protection policies. Update them as needed to reflect current practices.
  • Data Breach Logs: Record details of any personal data breaches, response actions taken, and notifications sent. These logs help demonstrate compliance with breach notification requirements.
  • DPIA Documentation: Keep records of any Data Protection Impact Assessments conducted, including the assessment methodology, findings, and mitigation measures.

Proper record-keeping enables an organization to demonstrate compliance during audits or supervisory inspections. It should be an ongoing process integrated into normal operations.

International Data Transfers and Safeguards

Transferring personal data outside the EU/EEA is restricted under GDPR. Data may only flow to countries or entities that ensure adequate protection. The main mechanisms for lawful international transfers include:

  • Adequacy Decisions: The European Commission can determine that a non-EU country (e.g., Canada, Japan, the United Kingdom, or Switzerland) provides an adequate level of data protection. Transfers to these countries require no further safeguards.
  • Standard Contractual Clauses (SCCs): Pre-approved EU data protection clauses can be inserted into contracts. SCCs create legal obligations on the sender and recipient to protect the data.
  • Binding Corporate Rules (BCRs): Internal policies adopted by multinational companies, approved by EU regulators, allow intra-group data transfers. BCRs legally bind the company to GDPR-level protection globally.
  • Derogations: In specific cases, transfers are allowed with data subject consent, for contract performance, or other narrowly defined situations. Derogations are exceptions and generally should not be relied on for routine transfers.

Organizations must also assess the risk of transfer to each country (especially following the Schrems II ruling) and implement supplementary measures if needed. Proper documentation and legal analysis of transfers are required to satisfy GDPR requirements.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment is a risk assessment process required for processing activities likely to result in high risk to individuals’ rights and freedoms. Article 35 mandates DPIAs for large-scale processing of sensitive data, systematic monitoring, or new technologies. A DPIA involves:

  • Describe the Processing: Outline the nature, scope, context, and purposes of the data processing activity.
  • Necessity and Proportionality: Assess why the processing is necessary and whether there are less intrusive ways to achieve the same purpose.
  • Risk Assessment: Identify potential privacy risks and the likelihood of harm to data subjects (e.g., identity theft, loss of confidentiality, or reputational harm).
  • Mitigation Measures: Propose measures to reduce or eliminate identified risks, such as additional security controls or anonymization techniques.
  • Consultation: Involve stakeholders like the Data Protection Officer (DPO) and, if necessary, seek guidance from the supervisory authority before proceeding.
  • Documentation: Record the DPIA process, decisions, and outcomes. If high risk cannot be mitigated, the controller must consult the authority before processing.

DPIAs should be conducted before commencing any high-risk processing project. Well-executed DPIAs help avoid fines by preventing non-compliant processing and demonstrating due diligence.

SME Compliance Challenges and Examples

Small and medium-sized enterprises (SMEs) often face obstacles in GDPR compliance due to limited resources and expertise. Common challenges include:

  • Resource Constraints: SMEs may lack the budget to hire dedicated compliance staff or invest in advanced security technology.
  • Awareness and Expertise: Companies might not fully understand GDPR requirements or how to implement them effectively.
  • Data Complexity: SMEs often rely on third-party services (e.g., cloud providers) and may not have full visibility or control over data flows.
  • Record-Keeping: Maintaining comprehensive documentation like RoPA and DPIAs can be burdensome for smaller teams.

For example, a small e-commerce startup collecting customer emails for marketing might struggle to properly document consent and set up adequate security. It may inadvertently send newsletters to individuals without clear opt-in, violating consent requirements. In another scenario, a family-owned business that transfers HR data to a cloud payroll service in the US might not implement Standard Contractual Clauses, leading to a compliance gap.

SMEs can mitigate these challenges by leveraging affordable tools and seeking expert guidance. Many data protection authorities offer resources and templates tailored for smaller organizations. Starting with a gap analysis and focusing on high-risk areas (like securing customer data) can make GDPR compliance more manageable for SMEs.

Implementation Strategies and Best Practices

To achieve GDPR compliance in the real world, organizations should adopt strategic and ongoing measures:

  • Regular Audits and Gap Analyses: Conduct periodic privacy and security audits to identify weaknesses. Use checklists aligned with GDPR articles to ensure all requirements are addressed.
  • Appointing a DPO or Team: Determine if a Data Protection Officer is required based on processing activities. Even if not mandatory, consider appointing a qualified staff member or outsourcing a DPO to oversee compliance efforts.
  • Automation Tools: Implement software solutions for consent management, data mapping, and breach detection. Automation can help maintain records, manage user data requests, and track compliance status.
  • Employee Training: Provide ongoing training to all staff about data protection principles and incident response procedures. Human error is a common cause of data breaches.
  • Privacy by Design: Integrate data protection considerations into new products and systems from the outset. Conduct privacy reviews during project planning and development.
  • Incident Response Plan: Maintain a clear procedure for handling data breaches, including quick containment, assessment, and notification within 72 hours as required by GDPR.
  • Continuous Improvement: Treat GDPR compliance as an ongoing process. Update policies and practices in response to new regulatory guidance, changes in processing activities, or after any security incident.

By implementing these strategies, organizations demonstrate a proactive compliance posture. This not only helps avoid substantial fines but also builds trust with customers and partners by showing a commitment to protecting personal data.