The GDPR basics your business needs to know

The GDPR basics your business needs to know

We’ve all experienced situations when a few bad apples made life harder for everyone. There are plenty of examples of this in today’s world, but one of the most far-reaching examples is the need for data protection regulations. Some web-based businesses were taking advantage of customers’ data and disregarding their privacy, leading to widespread laws like the GDPR that everyone needs to follow.

When people talk about the GDPR, meaning the EU’s data privacy law, what do they mean? What does GDPR stand for, what is GDPR compliance, and what do you have to do to be compliant? To bring you up to speed, we’re covering all the essentials in this GDPR overview.

When did GDPR go into effect?

GDPR stands for General Data Protection Regulation. This is a regulation that was signed into law across the EU in 2016.

The GDPR is a response to the massive growth of technology and the way it has turned consumer data into both a commodity and a potential weapon. It was passed by the EU in 2016 and took effect on May 25th, 2018, meaning that organizations had to be fully GDPR compliant by May 2018.

The GDPR isn’t the EU’s first regulation designed to protect private data. In 1995, it released the 1995 Data Protection Directive, which laid out rules for processing and transferring data in the EU. The GDPR is essentially a modernized regulation with the same goal, designed to better reflect the way data is handled today and the fact that it is functioning as a form of currency. The 1995 Data Protection Directive also allowed every country in the EU to make its own data privacy laws, which created a logistical mess for businesses and regulators, so the GDPR fixes this with one unified regulation.

When the GDPR took effect in 2018, it was among the strictest data privacy regulations in existence, and it remains so today. An update to the GDPR was published in 2021 as well, removing the Privacy Shield to make it easier for US businesses to serve EU customers and changing the laws for cookie consent.

A refresher on GDPR basics

The goal of the GDPR was to give users and customers more transparency about their data and how it is collected and used, give users more control over their data, and protect users’ data privacy from unwarranted access.

The GDPR includes a variety of steps any business must take if they are collecting data from anyone in the EU. Understandably, though, EU authorities gave businesses time to get the necessary procedures in place. So, the GDPR effective data was in May 2018. Although, if you’re wondering when did GDPR go into effect, you probably only need to think back to when you started seeing pop-ups about allowing cookies on every site you visited.

GDPR compliance meaning and guidelines

For your organization to be considered “GDPR compliant,” you must adhere to all of the guidelines and requirements laid out in the GDPR. That involves having certain consent options on your site, incorporating and enforcing certain policies for how data is handled, and so on.

Keep in mind that the GDPR is a law, not a standard. Unlike security standards, there is no certification that deems you to be “GDPR compliant.” You are responsible for ensuring that you are following the law, and there can be serious penalties and fines if you are found to be in breach of the GDPR. These fines can be tens of millions of dollars or more - the highest penalty to date is €746 million (about $787 million US). Double check your organization’s compliance with our GDPR checklist to avoid severe penalties.

GDPR guidelines

As a whole, the GDPR is designed to protect consumer data for EU residents. There are seven guiding principles it uses to carry out that goal.

Lawfulness, fairness, and transparency

Organizations must collect data with fairness and transparency, allowing consumers to understand what is being collected about them rather than gathering data behind their backs.

Purpose limitation

When organizations collect data, it doesn’t become free for them to use in any way they choose. In alignment with the GDPR, organizations can only use collected data for specific purposes that they have communicated to the consumers.

Data minimization

The GDPR requires organizations to only collect data that is necessary for their purposes, so they are receiving as little data as is possible or reasonable from consumers.


To protect users from being targeted based on inaccurate data, the GDPR requires organizations to make a reasonable effort to keep consumers’ data accurate and up to date.

Storage limitation

The GDPR requires organizations to only keep consumers data for as long as is necessary for them to process it appropriately.

Integrity and confidentiality

Organizations must take measures to keep consumer data secure and confidential to protect it from unauthorized access.


The GDPR holds organizations accountable for how they use and handle consumer data, including intentional misuse and careless disregard for consumer privacy.

What rights are granted under the GDPR requirement?

The core GDPR principles revolve around a set of rights that the legislation guarantees to people in the EU. These include:

  • The right to be informed about your data and how it’s being collected and used
  • The right of access to the data being collected
  • The right to rectification or the right to correct inaccurate data
  • The right to erase any and all data a company has stored about them at their request
  • The right to restriction of processing by requesting that you stop or change the way you’re processing their data
  • The right to data portability, meaning that they can request that any and all data be transferred from one company or service provider to another
  • The right to object
  • Rights regarding automated decision-making and profiling

This “bill of rights” forms the core basis for the GDPR and sets the tone for the rules and regulations that businesses need to follow.

What are the GDPR rules I need to follow?

The GDPR regulations include a complex list of rules and requirements for businesses to follow. These include security protocol, user communication policies, data management practices, and more to protect those eight rights guaranteed to users.

One type of requirement in the GDPR involves getting consent from users to collect and process their data. Before this regulation, it was assumed that users consented to their data being collected and used unless they stated otherwise. This is called implied consent, and most users had no idea what they were “consenting” to. The GDPR flips this so companies can only collect data if users give their written consent.

You’re also required to have processes in place for communicating your data usage transparently to users. You need to have clear and easy ways for users to put their GDPR data protection rights into action, like ways for them to request the erasure of their data or to request access to the data you’ve collected about them.

Another key component of the GDPR policy is data security. You must have systems in place that keep users’ data reasonably safe from unwarranted access like hacks and data breaches. As part of this, you need to have internal access controls to make sure user data can only be seen and used when absolutely necessary. You must also have protocols for alerting authorities quickly about any data breaches or risks to user data.

If your company isn’t located within the EU, another key requirement is to have a representative in the EU who can be the primary point of contact with EU authorities about GDPR matters.

This is not a comprehensive list of the GDPR requirements but a general summary of the types of policies, protocols, and protections you’ll need to have in place for EU GDPR compliance.

Who needs to comply with the GDPR?

Most data privacy regulations apply to companies based in a particular area. The GDPR is different. This law protects anyone in the EU, so in terms of requiring companies to comply with the requirements, who does the general data protection regulation apply to? It applies to any company that collects data from anyone within the EU.

Generally, that means any company with a website needs to follow the GDPR law. You may not be actively marketing to EU customers, but if an EU-based user could visit your site and have their data collected, the GDPR applies to you. The rare exception would be a company that cannot or does not do business with EU-based customers, such as a site that is geographically blocked from EU users.

How can I make the GDPR compliance process as smooth as possible?

If you’re doing business in a way that requires you to follow the GDPR, the compliance process doesn’t have to be as arduous as you might expect. There are specialized tools that can help.

Compliance software, for example, will automatically scan your system and compare it against the checklist of requirements for GDPR data privacy. The software gives you a clear list of what criteria you already meet and what you need to put in place for full compliance.

More about GDPR compliance

Get GDPR compliant

Who should comply with GDPR?

8 Facts about GDPR compliance you need to know

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.

Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes