Vanta automates security compliance.
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter a job title
Please enter your company name
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Who should comply with GDPR?

October 13, 2021

You may have heard of GDPR within the last few years, but do you know what GDPR is? GDPR, or the General Data Protection Regulation, is a law that was instituted by the European Union to protect the data collection and data use rights of its residents no matter where their activities took them. It’s a comprehensive data security law, so it leaves many business operators asking, “When it comes to GDPR, do I need to comply?”

It all depends on how you’re conducting business and with whom you’re conducting business. Let’s take a closer look at the question of who should be GDPR compliant.

Who has to comply with GDPR?

According to the way GDPR is written, it applies to any entity (any person, business, or organization) that collects or processes personal data from any person in the European Union. For example, any business that accepts orders from EU-based users must be GDPR compliant. Anyone who has a website that collects data about its visitors and is able to receive visitors in the EU also needs to be GDPR compliant.

The law is written this way because it’s designed to protect the data and privacy rights of any internet users within the EU, no matter where they go online or where they shop. So in general, if you do business with EU residents, you’re required to comply with GDPR.

What information does GDPR apply to?

When you hear that GDPR applies to anyone who collects or processes personal information about EU residents, the natural next question to ask is, “What do they define as personal information?”

For the purposes of GDPR, “personal information” or “personal data” includes just about anything. It includes the person’s basic information like their name and date of birth, as well as their geographic information, IP address, cookie identifiers, health data, payment information, and more.

Do we need to be GDPR compliant if we’re not Based in the EU?

This is a common question that has led to many misunderstandings. Because GDPR is written in a way to protect EU users, even people and organizations based outside the EU need to comply if they will be taking in any data from EU users.

In reality, there may be more organizations that do need to comply with GDPR than those that don’t. For example, if you are a US-based app developer, your app is exclusively available on US-only app stores, and you only collect data from users who have downloaded the app, you wouldn’t need to be GDPR compliant because no one in the EU can download your app.

Do I need GDPR for my website?

In the vast majority of cases, if you have a website, then yes, you do need to comply with GDPR. Most websites collect some type of data. Even if you aren’t using cookies and other types of automated data collection, if you have a contact form on your website and an EU user could fill it out, you’re responsible for complying with GDPR as a result.

If you have a website and you’re asking, “Do I need to be GDPR compliant,” one of the rare cases in which the answer would be “no” is if your website is restricted to specific geographic locations that aren’t in the EU. In this case, your site can’t be accessed by anyone in the EU.

When do we have to be GDPR compliant?

GDPR is a relatively new law, so when do you need to be GDPR compliant? GDPR was adopted as a law by the EU in 2016 and they provided a two-year transition period, so the law fully took effect in May 2018. Since it is now a few years past 2018, every person, organization, or business that may process or collect information from EU residents must be GDPR compliant now.

If you aren’t currently compliant with GDPR, it’s important to take steps to become compliant immediately because the penalties for non-compliance range between €10 million and €20 million, or higher depending on your annual global turnover. If you are launching a new EU-accessible website or opening a business that will serve EU customers, it’s best to become GDPR compliant before your site or business goes live.

How to get started with GDPR compliance

If you’ve just discovered that you need to comply with GDPR, don’t panic. You can start taking concrete steps toward your compliance right away. There are automated platforms that make it easy by scanning your system to determine which compliance requirements you already meet and which ones you need to correct. When you’ve met all the requirements for GDPR compliance, the platform can easily document each of these requirements so you can reference them at any time.

Learn more about compliance requirements

Get GDPR compliant

Why a SOC 2 is the Most Accepted Security Compliance Standard

Your HIPAA Compliance Checklist