The GDPR basics your business needs to know

The GDPR basics your business needs to know

We’ve all experienced situations when a few bad apples made life harder for everyone. There are plenty of examples of this in today’s world, but one of the most far-reaching examples is the need for data protection regulations. Some web-based businesses were taking advantage of customers’ data and disregarding their privacy, leading to widespread laws like the GDPR that everyone needs to follow.

When people talk about the GDPR, meaning the EU’s data privacy law, what do they mean? What does GDPR stand for, what is GDPR compliance, and what do you have to do to be compliant? To bring you up to speed, we’re covering all the essentials in this GDPR overview.

What is GDPR and what does GDPR compliance mean?

GDPR stands for General Data Protection Regulation. This is a regulation that was signed into law across the EU in 2016. The goal of the GDPR was to give users and customers more transparency about their data and how it is collected and used, give users more control over their data, and protect users’ data privacy from unwarranted access.

The GDPR includes a variety of steps any business must take if they are collecting data from anyone in the EU. Understandably, though, EU authorities gave businesses time to get the necessary procedures in place. So, the GDPR effective data was in May 2018. Although, if you’re wondering when did GDPR go into effect, you probably only need to think back to when you started seeing pop-ups about allowing cookies on every site you visited.

What are the GDPR rights granted to people in the EU?

The core GDPR principles revolve around a set of rights that the legislation guarantees to people in the EU. These include:

  • The right to be informed about your data and how it’s being collected and used
  • The right of access to the data being collected
  • The right to rectification or the right to correct inaccurate data
  • The right to erase any and all data a company has stored about them at their request
  • The right to restriction of processing by requesting that you stop or change the way you’re processing their data
  • The right to data portability, meaning that they can request that any and all data be transferred from one company or service provider to another
  • The right to object
  • Rights regarding automated decision-making and profiling

This “bill of rights” forms the core basis for the GDPR and sets the tone for the rules and regulations that businesses need to follow.

What are the GDPR rules I need to follow?

The GDPR regulations include a complex list of rules and requirements for businesses to follow. These include security protocol, user communication policies, data management practices, and more to protect those eight rights guaranteed to users.

One type of requirement in the GDPR involves getting consent from users to collect and process their data. Before this regulation, it was assumed that users consented to their data being collected and used unless they stated otherwise. This is called implied consent, and most users had no idea what they were “consenting” to. The GDPR flips this so companies can only collect data if users give their written consent.

You’re also required to have processes in place for communicating your data usage transparently to users. You need to have clear and easy ways for users to put their GDPR data protection rights into action, like ways for them to request the erasure of their data or to request access to the data you’ve collected about them.

Another key component of the GDPR policy is data security. You must have systems in place that keep users’ data reasonably safe from unwarranted access like hacks and data breaches. As part of this, you need to have internal access controls to make sure user data can only be seen and used when absolutely necessary. You must also have protocols for alerting authorities quickly about any data breaches or risks to user data.

If your company isn’t located within the EU, another key requirement is to have a representative in the EU who can be the primary point of contact with EU authorities about GDPR matters.

This is not a comprehensive list of the GDPR requirements but a general summary of the types of policies, protocols, and protections you’ll need to have in place for EU GDPR compliance.

Who needs to comply with the GDPR?

Most data privacy regulations apply to companies based in a particular area. The GDPR is different. This law protects anyone in the EU, so in terms of requiring companies to comply with the requirements, who does the general data protection regulation apply to? It applies to any company that collects data from anyone within the EU.

Generally, that means any company with a website needs to follow the GDPR law. You may not be actively marketing to EU customers, but if an EU-based user could visit your site and have their data collected, the GDPR applies to you. The rare exception would be a company that cannot or does not do business with EU-based customers, such as a site that is geographically blocked from EU users.

What is the General Data Protection Regulation Enforcement Process?

GDPR data protections were put in place for all of the EU, but the law is enforced separately by individual countries within the EU. For example, the legislation regarding data protection and security in the UK is called the UK Data Protection Act 2018. This is the UK’s implementation of the GDPR.

How can I make the GDPR compliance process as smooth as possible?

If you’re doing business in a way that requires you to follow the GDPR, the compliance process doesn’t have to be as arduous as you might expect. There are specialized tools that can help.

Compliance software, for example, will automatically scan your system and compare it against the checklist of requirements for GDPR data privacy. The software gives you a clear list of what criteria you already meet and what you need to put in place for full compliance.

More about GDPR compliance

Get GDPR compliant

Who should comply with GDPR?

8 Facts about GDPR compliance you need to know

Written by
No items found.
Access Review Stage Content / Functionality
Across all stages
  • Easily create and save a new access review at a point in time
  • View detailed audit evidence of historical access reviews
Setup access review procedures
  • Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews
  • Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems
  • Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta.
  • Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS)
  • Upload access files from non-integrated systems
  • View and select systems in-scope for the review
Review, approve, and deny user access
  • Select the appropriate systems reviewer and due date
  • Get automatic notifications and reminders to systems reviewer of deadlines
  • Automatic flagging of “risky” employee accounts that have been terminated or switched departments
  • Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section
  • Track progress of individual systems access reviews and see accounts that need to be removed or have access modified
  • Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners
  • Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests
  • Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access
  • Focused view of accounts flagged for access changes for easy tracking and management
  • Automated evidence of remediation completion displayed for integrated systems
  • Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results
  • Auditor can log into Vanta to see history of all completed access reviews
  • Internals can see status of reviews in progress and also historical review detail

PCI Compliance Selection Guide

Determine Your PCI Compliance Level

If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.

When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.

Answer a few short questions and we’ll help identify your compliance level.


Does your business offer services to customers who are interested in your level of PCI compliance?


Identify your PCI SAQ or ROC level

The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.

Good news! Vanta supports all of the following compliance levels:


A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.

Get PCI DSS certified


A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.

Learn more about eCommerce PCI

for service providers

A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.

Use our PCI checklist

Level 1 for service providers

A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).

Automate your ROC and AOC

Download this checklist for easy reference


Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.