BACK TO BLOGS Back to Press Releases

What is GDPR? A practical guide to data protection compliance

Written by:

Andrea Pomaranski, Special Projects IT Engineer

Written by:

GDPR has a reputation for being dense, legalistic, and harder to understand than it needs to be.

That matters because GDPR is one of the few privacy laws with real teeth, and its reach extends further than many organizations realize. If your business offers goods or services to people in the EU, or monitors their behavior there, GDPR may apply even if your company is based outside the EU. The penalties for noncompliance can also be substantial.

This guide skips the legal prose and covers what GDPR is, who it applies to, what it asks of you, and where compliance stops and security begins.

What is GDPR?

The General Data Protection Regulation (GDPR) is the EU's data privacy law. It governs how organizations collect, use, store, and share personal data and gives individuals enforceable rights over their information.  

Adopted in 2016, it became applicable on May 25, 2018, replacing the older EU Data Protection Directive.

Who does GDPR apply to?

GDPR applies when an organization has an office, branch, or other ongoing business presence in the EU and processes personal data as part of that operation, even if the processing happens elsewhere. It can also apply to organizations outside the EU that offer goods or services to people there or monitor their behavior.

A controller decides why and how personal data is processed. A processor handles it on the controller's behalf. For example, an employer is usually the controller of payroll data, while an outside payroll provider acts as the processor. Controllers must choose and oversee suitable processors, while processors must protect the data and follow the controller’s documented instructions.

What data does GDPR protect?

Personal data is any information that identifies someone directly or indirectly. Names, email addresses, phone numbers, IP addresses, device IDs, location data, and cookie identifiers can all qualify.  

A record does not need to include a person's name if it can still be linked back to them. GDPR places tighter restrictions on special-category data, including health, biometric, genetic, political, religious, and trade union information.  

Criminal conviction data has separate protections. If you handle any of these, the bar is higher across the board.

What is GDPR compliance?

GDPR compliance means handling personal data in line with the regulation, protecting it, honoring individual rights, and keeping evidence that you are doing so. It covers both policy and day-to-day operations: the legal justification for using data, the controls protecting it, the process for responding to requests, and the records behind those decisions.

It is an ongoing process, not a one-time project, because data, systems, vendors, and business practices keep changing.  

Complying is not enough on its own. You also have to show your work through records, policies, and evidence you can produce when a regulator asks.

Key compliance requirements

Every processing activity needs a lawful basis. Consent is the most familiar, but it is one of six. GDPR also recognizes contractual necessity, legal obligations, vital interests, public tasks, and legitimate interests, and each carries different conditions.  

When you rely on consent, it must be freely given, specific, informed, and as easy to withdraw as it was to give. Pre-checked boxes and bundled agreements do not count.

You cannot protect or govern data you have not located. Map what personal data you hold, where it lives, how it moves through your systems, and who can access it.

If a vendor processes personal data on your behalf, GDPR requires a binding agreement defining the processing and the vendor’s obligations. You remain accountable for choosing that vendor carefully and overseeing its work.

International transfers require an applicable GDPR mechanism, such as an adequacy decision or standard contractual clauses. When relying on contractual safeguards, you may also need to assess the destination country’s laws and adopt supplementary measures. Transfers have produced some of GDPR’s largest penalties, including one for more than €1 billion.

Breach notification is one of the hard deadlines.  

When a personal data breach is likely to pose a risk to individuals’ rights and freedoms, the controller generally has 72 hours from becoming aware of it to notify the relevant supervisory authority. If the breach is likely to pose a high risk, affected individuals must also be notified without undue delay. A processor that discovers a breach must promptly notify the controller, so it can assess the incident and meet any reporting deadline.

Data protection measures are the technical and organizational controls that keep data secure. Encryption, access controls, application control, and limiting what users and applications can reach all fall here.

Privacy has to be built in, not bolted on. GDPR requires data protection by design and by default, meaning systems should limit collection, access, and retention from the start.  

Controllers must also conduct a data protection impact assessment before processing likely to create a high risk to individuals’ rights and freedoms, and some organizations must appoint a data protection officer based on the nature and scale of their processing.

Documentation ties it together. GDPR expects organizations to maintain records of processing activities, policies, and key decisions so they can demonstrate compliance when asked.

The core principles of GDPR

Seven principles shape every decision involving personal data.

Lawfulness, fairness, and transparency

You need a valid legal reason to process someone's data, must use it fairly, and must explain what you are doing. Collecting data for one purpose while quietly using it for another fails that test.

Purpose limitation

Collect data for a specific, stated reason. Using it later for a materially different or incompatible purpose requires a fresh assessment and may require a different legal basis and updated notice. Email addresses collected for order confirmations cannot quietly become a marketing list.

Data minimization

Only collect personal data necessary for the stated purpose. Every field should have a reason for being collected and retained. Extra data creates more risk and liability.

Accuracy

Personal data must be accurate and kept up to date where necessary. Organizations need a way to correct or remove inaccurate records, especially when they affect decisions about someone.

Storage limitation

Do not keep personal data longer than necessary. Defined retention periods and reliable deletion prevent information from being stored indefinitely just in case.

Integrity and confidentiality

Personal data must be protected against unauthorized access, loss, and damage. This is where GDPR moves beyond paperwork and requires live security controls.

Accountability

Organizations must comply with the other six principles and be able to prove it through policies, processing records, risk assessments, vendor agreements, training, and evidence that controls work as intended.

Individual rights under GDPR

GDPR grants individuals rights over their personal data, and organizations need processes to honor them. Most requests must be answered without undue delay and within one month, although limited extensions apply. These rights may depend on the circumstances, but each requires a way to verify the requester, locate the data, evaluate exceptions, and respond on time.

Right to access

Individuals can ask whether you process their personal data and request a copy, along with why you have it, where it came from, and who received it.

Right to rectification

Individuals can require you to correct inaccurate personal data and, in some cases, supply missing information.

Right to erasure ("right to be forgotten")

Individuals can request deletion in qualifying circumstances, such as when data is no longer needed, or they withdraw the consent supporting its use. The right is not absolute, so organizations need a process to evaluate exceptions and act on valid requests.

Right to restrict processing

Individuals can require you to pause or limit how their data is used in certain situations, such as while a dispute about its accuracy is being resolved.

Right to data portability

Where processing is based on consent or a contract and carried out by automated means, individuals can request their data in a structured, commonly used, machine-readable format, and can ask for it to be transmitted to another provider where technically feasible.

Right to object

Individuals can object to certain processing, including processing based on legitimate interests. If someone objects to direct marketing, that use of their data must stop.

GDPR also includes the right to be informed and protections involving automated decision-making and profiling, including certain decisions made entirely by automated systems that significantly affect someone.

Common challenges in GDPR compliance

GDPR compliance is continuous. Systems change, vendors are added, and personal data moves into new tools, so policies, controls, and records must stay current.

User consent

Organizations must record when and how consent was given, make it easy to withdraw, and ensure the withdrawal reaches every system using the data.

Identifying personal data

Personal data can be spread across SaaS platforms, spreadsheets, logs, backups, and email. If an organization cannot find it, it cannot reliably protect, delete, or produce it for an access request.

Third-party risk management

Organizations need to know what data each vendor receives, how it is protected, where it is processed, and whether subprocessors are involved. Those relationships need review as services and practices change.

GDPR fines and penalties

The penalties for noncompliance can also be substantial.

GDPR fines come in two tiers. Less severe violations can cost up to €10 million or 2% of worldwide annual turnover. Serious violations can reach €20 million or 4%, whichever is higher. For large organizations, the percentage-based amount can far exceed the fixed ceiling.

Meta received a €1.2 billion fine in 2023 over transfers of European user data to the US without adequate safeguards. TikTok received a €530 million fine in 2025 involving transfers to China and transparency failures. Both show the risk created by global data flows without valid safeguards and clear disclosures.

GPDR vs other frameworks

GDPR is often grouped with other compliance frameworks, but they address different problems.

  • GDPR vs HIPAA:HIPAA compliance regulates protected health information handled by covered entities and business associates in US healthcare. GDPR applies across industries to personal data within its scope and centers on individual rights.
  • GDPR vs PCI DSS: PCI DSS is an industry security standard for payment card data. GDPR is a legally enforceable privacy regulation covering personal data more broadly and granting individuals rights over it.

These frameworks can complement one another. NIST and PCI DSS help organizations structure technical controls, while GDPR adds legal obligations, accountability, and individual rights.

How a Zero Trust architecture supports GDPR compliance

GDPR requires personal data to be protected but does not prescribe a specific security architecture. Zero Trust provides a practical way to enforce that obligation through least privilege, continuous verification, and visibility.

Least privilege limits each user, application, and process to the access it explicitly needs. Blocking unapproved applications and containing approved ones helps enforce that boundary. These controls support integrity and confidentiality and help implement data protection by design: data that cannot be reached cannot be quietly copied, repurposed, or exfiltrated.

Continuous verification replaces one-time trust with ongoing checks rather than assuming an authenticated user or approved application remains trustworthy indefinitely.

Monitoring and visibility reinforce accountability. Knowing which applications and accounts have accessed specific data, and when, gives organizations a stronger factual basis for investigating incidents and meeting breach-reporting obligations. Unusual access patterns are also easier to spot when normal access is narrowly defined.

The result is less exposure. A compromised account or application can reach fewer personal data, and incidents are easier to detect, scope, and report accurately.

GDPR has reshaped how companies handle personal data

GDPR changed the default. Personal data must now be justified, protected, documented, and answerable to the person it describes. Compliance reduces unnecessary data, access, and regulatory exposure.

But paperwork has limits.  

Policies and records show intent while technical controls protect data when something goes wrong. Zero Trust supports GDPR's security requirements by denying access by default, verifying it continuously, and limiting what compromised accounts and applications can reach.  

While Zero Trust architecture alone does not satisfy every aspect of GDPR—such as lawful processing, managing cross-border transfers, and upholding data subject rights—it provides a strong technical foundation for protecting personal data.  

By continuously enforcing least privilege and reducing opportunities for unauthorized access, Zero Trust controls offer some of the most effective support for achieving and maintaining GDPR compliance.

Start your path to stronger defenses

Start your trial

Try ThreatLocker free for 30 days and experience full Zero Trust protection in your own environment.

Book a demo

Schedule a customized demo and explore how ThreatLocker aligns with your security goals.

Ask an expert

Just starting to explore our platform? Find out what ThreatLocker is, how it works, and how it’s different.