What Is GDPR Compliance? Definition, Requirements & What Businesses Must Do
What Is GDPR Compliance?
GDPR compliance means operating in accordance with the General Data Protection Regulation — the European Union's comprehensive data protection law that came into force on May 25, 2018. The regulation establishes strict rules for how organizations collect, store, process, and share the personal data of individuals in the EU and the European Economic Area (EEA). GDPR compliance is not a one-time certification; it is an ongoing operational commitment to embedding data protection principles into how an organization works.
The GDPR's reach extends far beyond Europe. Any organization anywhere in the world that collects or processes personal data belonging to EU residents is subject to its requirements. This means a SaaS company headquartered in San Francisco, an e-commerce retailer in Singapore, or a data analytics firm in Canada all face GDPR obligations if they have EU customers or users. Understanding what GDPR requires, who it applies to, and what non-compliance costs is essential for any business operating in or selling to European markets.
TL;DR — Key Takeaways
• GDPR is the EU's data protection regulation, enforceable since May 2018, with global reach.
• It applies to any organization that processes personal data of EU/EEA residents, regardless of location.
• Core requirements include lawful basis for processing, transparency, data subject rights, and security measures.
• Fines can reach €20 million or 4% of global annual turnover, whichever is higher.
• Key obligations include appointing a DPO (in some cases), signing DPAs with vendors, and conducting DPIAs for high-risk processing.
What Is Personal Data Under GDPR?
Personal data is the central concept in GDPR, and its definition is deliberately broad. Under the regulation, personal data is any information that relates to an identified or identifiable natural person — the "data subject." A person is identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, identification number, location data, online identifier (such as an IP address or cookie ID), or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
This expansive definition means that GDPR covers far more than obvious identifiers like names and email addresses. It also covers IP addresses, device IDs, browsing history associated with a user profile, employee records, customer transaction histories, photographs, and even combinations of data points that together could identify a person. If your organization collects, stores, transmits, or analyzes any of this information about EU residents, GDPR applies to you.
The regulation also distinguishes a special category of sensitive personal data that receives heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for unique identification, health data, and data concerning sex life or sexual orientation. Processing this data is prohibited except in specific, narrowly defined circumstances.
Who Does GDPR Apply To?
GDPR applies to two categories of organizations: controllers and processors. A controller is the entity that determines the purposes and means of processing personal data — essentially, the organization that decides why and how personal data is used. A processor is an entity that processes personal data on behalf of a controller — for example, a cloud hosting provider, a payroll service, or an email marketing platform.
Both controllers and processors have obligations under GDPR, though controllers bear the primary responsibility. Controllers must ensure they have a valid legal basis for every processing activity, fulfill data subject rights requests, maintain records of processing activities, and ensure that any processors they engage are contractually bound to appropriate data protection standards through a Data Processing Agreement (DPA).
Processors have their own direct obligations under GDPR, including maintaining records of processing activities carried out on behalf of controllers, implementing appropriate security measures, notifying controllers of data breaches, and not engaging sub-processors without the controller's authorization. For SaaS vendors and technology service providers, this means GDPR compliance is not just a customer-facing concern — it is a fundamental operational and commercial requirement. Enterprise buyers routinely require evidence of GDPR compliance as part of their vendor due diligence and security questionnaire processes.
What Are the Six Lawful Bases for Processing Under GDPR?
One of the GDPR's foundational requirements is that every act of processing personal data must have a lawful basis. You cannot collect or use personal data simply because it might be useful. GDPR defines six lawful bases, and organizations must identify and document which basis applies to each processing activity before that processing begins.
Consent is the most well-known basis, but it is not the only or even the most appropriate basis for most business processing. Valid GDPR consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent buried in terms and conditions do not meet the standard. Consent can also be withdrawn at any time, which makes it a fragile basis for processing that your business depends on continuously.
Contract is a lawful basis when processing is necessary to perform a contract with the data subject, or to take steps at their request before entering a contract. Processing an employee's bank details to pay their salary, or processing a customer's shipping address to fulfill an order, falls under this basis.
Legal obligation covers processing that is necessary to comply with a law. Retaining employee tax records, processing data for anti-money laundering checks, or reporting to a regulator all fall under this basis.
Vital interests applies in life-or-death situations — it is a narrow basis used primarily in emergency contexts.
Public task applies to processing carried out by public authorities in the exercise of official functions. It rarely applies to private businesses.
Legitimate interests is a flexible basis that allows controllers to process data when they have a genuine and legitimate purpose that is not overridden by the interests, rights, or freedoms of the data subject. It requires a three-part balancing test: identifying the legitimate interest, establishing that the processing is necessary, and confirming that the interest is not overridden by the data subject's rights. Many B2B and marketing activities rely on this basis, but it requires documented assessment.
What Rights Do Individuals Have Under GDPR?
GDPR grants individuals — data subjects — a robust set of rights over their personal data. Organizations must have processes in place to honor these rights within the required timeframes, which are generally one calendar month with a possible two-month extension for complex requests.
The right of access (Subject Access Request or SAR) allows individuals to request a copy of all personal data an organization holds about them, along with information about how it is being processed. This right is frequently exercised and can be resource-intensive to fulfill, especially for large organizations with data spread across many systems.
The right to rectification allows individuals to have inaccurate personal data corrected. The right to erasure — often called the "right to be forgotten" — allows individuals to request deletion of their data in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected, or when consent is withdrawn. The right to restrict processing allows individuals to limit how their data is used while a dispute is being resolved.
The right to data portability allows individuals to receive their personal data in a structured, machine-readable format and transmit it to another controller. The right to object allows individuals to object to processing based on legitimate interests or direct marketing. And the right not to be subject to solely automated decision-making that produces significant effects provides protection against algorithmic decisions made without human review.
What Is a Data Processing Agreement (DPA) and When Is One Required?
A Data Processing Agreement is a legally binding contract between a controller and a processor that governs how the processor handles personal data on the controller's behalf. GDPR Article 28 requires that all controller-processor relationships be governed by a DPA. If your organization uses any third-party service that processes personal data on your behalf — a CRM platform, cloud storage provider, analytics tool, HR software, or email service — you need a DPA with that vendor.
The DPA must include specific mandatory provisions: a description of the processing activities, the duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, the controller's instructions to the processor, the processor's obligations regarding security, confidentiality, sub-processors, assistance with data subject rights, and deletion or return of data at the end of the contract.
For enterprise SaaS vendors, having a well-prepared, GDPR-compliant DPA that can be executed quickly is a significant commercial advantage. Enterprise buyers' legal and procurement teams will request it as a standard part of the vendor onboarding process, and the inability to produce one promptly is a deal-delaying friction point. This DPA requirement is closely related to the broader vendor risk management and security questionnaire processes that enterprise buyers run as part of their supplier due diligence.
What Is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment is a process for identifying and mitigating the data protection risks of a new project or processing activity before it begins. GDPR requires a DPIA when processing is likely to result in a high risk to the rights and freedoms of individuals. The regulation specifically mandates DPIAs for: systematic and extensive profiling that produces significant effects on individuals; large-scale processing of sensitive personal data; and systematic monitoring of a publicly accessible area.
More broadly, the UK Information Commissioner's Office and other data protection authorities recommend conducting a DPIA any time you introduce a new technology, implement a significant change to existing processing, or process data in a way that feels novel or potentially intrusive. A DPIA involves describing the processing, assessing its necessity and proportionality, identifying and assessing risks, and identifying measures to mitigate those risks. If risks cannot be sufficiently mitigated, the organization must consult with its supervisory authority before proceeding.
What Are the GDPR Requirements for Data Security?
GDPR Article 32 requires controllers and processors to implement appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. The regulation does not prescribe specific security controls — instead, it requires measures that are appropriate to the level of risk, taking into account the nature of the data, the scale and context of the processing, and the costs of implementation.
In practice, GDPR-compliant security programs typically include: encryption of personal data at rest and in transit, pseudonymization where appropriate, access controls based on the principle of least privilege, regular security testing and vulnerability management, documented incident response procedures, and business continuity and disaster recovery planning. Organizations that hold certifications like ISO 27001 or have passed a SOC 2 audit can use these as evidence that appropriate security measures are in place, though neither certification is a formal GDPR compliance mechanism on its own.
Security questionnaires from enterprise buyers often mirror GDPR security requirements closely, because buyers know that a vendor's failure to meet GDPR security standards creates liability for the buyer as a controller. Understanding why enterprises send security questionnaires illuminates this dynamic: they are essentially operationalizing their GDPR Article 28 obligation to verify that processors provide sufficient guarantees.
What Are the GDPR Rules on Data Breach Notification?
GDPR imposes strict breach notification requirements that represent a significant departure from the previously inconsistent patchwork of national laws. Under Article 33, controllers must notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals. Where notification is not made within 72 hours, the reasons for the delay must be provided.
Under Article 34, where a breach is likely to result in a high risk to individuals — not just any risk, but high risk — the controller must also notify the affected individuals without undue delay. The notification to individuals must describe the nature of the breach, the likely consequences, and the measures the controller has taken or proposes to take to address it.
Processors have a parallel obligation: they must notify the controller without undue delay after becoming aware of a breach. This is why DPAs always include breach notification provisions. For organizations using cloud services or SaaS platforms, the processor's speed and quality of breach notification is a critical factor in the controller's ability to meet its own 72-hour window.
What Are GDPR Fines and Penalties?
The GDPR's enforcement teeth come from its penalty regime. The regulation establishes two tiers of administrative fines. For less serious infringements — including failures to maintain records of processing activities, failures to notify breaches, or failures to conduct required DPIAs — fines can reach €10 million or 2% of total worldwide annual turnover, whichever is higher. For the most serious infringements — violations of the basic principles for processing, violations of data subjects' rights, or unlawful international transfers — fines can reach €20 million or 4% of total worldwide annual turnover, whichever is higher.
These penalties are not theoretical. Meta has received fines totaling over €1.3 billion for violations of GDPR rules on international data transfers. Amazon was fined €746 million by Luxembourg's data protection authority. Google, WhatsApp, TikTok, and hundreds of smaller companies have all faced significant GDPR enforcement actions. Beyond fines, GDPR violations can result in orders to cease processing, reputational damage, loss of customer trust, and in some member states, criminal liability for responsible individuals.
How Does GDPR Affect International Data Transfers?
One of the most practically complex aspects of GDPR is its restriction on transferring personal data outside the EU/EEA to countries that do not provide an equivalent level of data protection. The EU maintains a list of countries it has deemed "adequate" — currently including the UK (under a separate adequacy decision), Canada, Japan, Israel, and several others. Personal data can flow freely to adequate countries.
For transfers to non-adequate countries — including the United States — organizations must use one of several approved mechanisms. The EU-U.S. Data Privacy Framework (adopted in 2023, replacing the invalidated Privacy Shield) allows certified US companies to receive EU personal data. Standard Contractual Clauses (SCCs) are the most widely used mechanism for transfers to any non-adequate country; they are pre-approved contract terms that the European Commission has determined provide adequate protection. Binding Corporate Rules (BCRs) are used by multinational companies to govern intra-group transfers. Each of these mechanisms has specific requirements and limitations that legal and compliance teams must actively manage.
What Is a Data Protection Officer (DPO) and Do You Need One?
A Data Protection Officer is a named individual (internal or external) responsible for overseeing an organization's GDPR compliance program, advising on data protection obligations, monitoring compliance, and serving as the point of contact with the supervisory authority. GDPR Article 37 requires the appointment of a DPO in three circumstances: when the processing is carried out by a public authority or body; when core activities involve large-scale, regular, and systematic monitoring of individuals; or when core activities involve large-scale processing of special category data or criminal conviction data.
Organizations that are not required to appoint a DPO may still choose to do so voluntarily. Many compliance and legal professionals argue that any organization with significant personal data processing should have a DPO or equivalent function. The DPO must be given sufficient resources and access to perform their role effectively and cannot be penalized for doing so.
How Steerlab Helps SaaS Vendors Navigate Enterprise GDPR Requirements
For SaaS vendors and technology companies whose enterprise customers regularly ask for GDPR-related documentation, security questionnaire responses, and evidence of compliance as part of their procurement processes, Steerlab.ai automates the completion of those assessments — helping teams respond to data protection and security questionnaires consistently and at speed, without manually answering the same questions for every customer.
Frequently Asked Questions
What does GDPR stand for?
GDPR stands for General Data Protection Regulation. It is the European Union's primary data protection law, which came into effect on May 25, 2018, replacing the previous EU Data Protection Directive. It is formally designated as Regulation (EU) 2016/679 of the European Parliament and of the Council.
Does GDPR apply to companies outside the EU?
Yes. GDPR applies to any organization, regardless of where it is based, that processes personal data of individuals in the EU or EEA in connection with offering goods or services to them, or monitoring their behavior within the EU. A company based in the United States, Australia, or anywhere else is subject to GDPR if it has EU customers or users.
What is the difference between a data controller and a data processor under GDPR?
A data controller determines why and how personal data is processed — it is the organization that makes the decisions. A data processor handles personal data on behalf of a controller, following the controller's instructions. A SaaS company whose customers use it to store their own customer data is typically a processor. The company itself is a controller for data it collects about its own users.
What is a lawful basis for processing under GDPR?
A lawful basis is the legal justification that permits an organization to process personal data. GDPR identifies six: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document the appropriate basis for each type of processing activity before it begins, and cannot change the basis retrospectively.
How long can you keep personal data under GDPR?
GDPR's storage limitation principle requires that personal data be kept for no longer than necessary for the purpose for which it was collected. There is no single prescribed retention period; organizations must determine appropriate retention periods for each data category based on their processing purposes, any applicable legal obligations requiring retention, and document those periods in their records of processing activities.
What is a Subject Access Request (SAR) under GDPR?
A Subject Access Request is an individual's exercise of their right of access under GDPR Article 15. The individual requests confirmation of whether their personal data is being processed and, if so, a copy of that data along with specified supplementary information. Organizations must respond within one calendar month and cannot charge a fee for a standard request.
What is the difference between GDPR and the UK GDPR?
Following Brexit, the United Kingdom adopted its own version of GDPR — known as UK GDPR — which is incorporated into domestic law alongside the Data Protection Act 2018. UK GDPR closely mirrors EU GDPR in its requirements, principles, and rights. However, the UK and EU now operate as separate regulatory regimes with separate supervisory authorities, and transfers between the EU and UK require the EU's adequacy decision for the UK to remain valid.
How does GDPR relate to SOC 2 and ISO 27001?
GDPR, SOC 2, and ISO 27001 are complementary but distinct frameworks. GDPR is a legal regulation governing the rights of individuals and obligations of organizations around personal data. SOC 2 is an auditing standard for service organizations' security controls. ISO 27001 is an international standard for information security management systems. SOC 2 and ISO 27001 certifications provide evidence of security controls that support GDPR compliance, particularly the Article 32 security obligation, but neither constitutes GDPR compliance on its own.
