
Who should comply with GDPR?
You may have heard of GDPR within the last few years, but do you know what GDPR is? GDPR, or the General Data Protection Regulation, is a law that was instituted by the European Union to protect the data collection and data use rights of its residents no matter where their activities took them. It’s a comprehensive data security law, so it leaves many business operators asking, “When it comes to GDPR, do I need to comply?”
It all depends on how you’re conducting business and with whom you’re conducting business. Let’s take a closer look at the question of who should be GDPR compliant.

Who has to comply with GDPR?
According to the way GDPR is written, it applies to any entity (any person, business, or organization) that collects or processes personal data from any person in the European Union. For example, any business that accepts orders from EU-based users must be GDPR compliant. Anyone who has a website that collects data about its visitors and is able to receive visitors in the EU also needs to be GDPR compliant.
The law is written this way because it’s designed to protect the data and privacy rights of any internet users within the EU, no matter where they go online or where they shop. So in general, if you do business with EU residents, you’re required to comply with GDPR.
What information does GDPR apply to?
When you hear that GDPR applies to anyone who collects or processes personal information about EU residents, the natural next question to ask is, “What do they define as personal information?”
For the purposes of GDPR, “personal information” or “personal data” includes just about anything. It includes the person’s basic information like their name and date of birth, as well as their geographic information, IP address, cookie identifiers, health data, payment information, and more.
Do we need to be GDPR compliant if we’re not Based in the EU?
This is a common question that has led to many misunderstandings. Because GDPR is written in a way to protect EU users, even people and organizations based outside the EU need to comply if they will be taking in any data from EU users.
In reality, there may be more organizations that do need to comply with GDPR than those that don’t. For example, if you are a US-based app developer, your app is exclusively available on US-only app stores, and you only collect data from users who have downloaded the app, you wouldn’t need to be GDPR compliant because no one in the EU can download your app.
Do I need GDPR for my website?
In the vast majority of cases, if you have a website, then yes, you do need to comply with GDPR. Most websites collect some type of data. Even if you aren’t using cookies and other types of automated data collection, if you have a contact form on your website and an EU user could fill it out, you’re responsible for complying with GDPR as a result.
If you have a website and you’re asking, “Do I need to be GDPR compliant,” one of the rare cases in which the answer would be “no” is if your website is restricted to specific geographic locations that aren’t in the EU. In this case, your site can’t be accessed by anyone in the EU.
When do we have to be GDPR compliant?
GDPR is a relatively new law, so when do you need to be GDPR compliant? GDPR was adopted as a law by the EU in 2016 and they provided a two-year transition period, so the law fully took effect in May 2018. Since it is now a few years past 2018, every person, organization, or business that may process or collect information from EU residents must be GDPR compliant now.
If you aren’t currently compliant with GDPR, it’s important to take steps to become compliant immediately because the penalties for non-compliance range between €10 million and €20 million, or higher depending on your annual global turnover. If you are launching a new EU-accessible website or opening a business that will serve EU customers, it’s best to become GDPR compliant before your site or business goes live.
How to get started with GDPR compliance
If you’ve just discovered that you need to comply with GDPR, don’t panic. You can start taking concrete steps toward your compliance right away. There are automated platforms that make it easy by scanning your system to determine which compliance requirements you already meet and which ones you need to correct. When you’ve met all the requirements for GDPR compliance, the platform can easily document each of these requirements so you can reference them at any time.
Learn more about compliance requirements
Why a SOC 2 is the Most Accepted Security Compliance Standard
Your HIPAA Compliance Checklist

FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Questions?
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.

The compliance news you need. Delivered securely to your inbox.
Subject to Vanta's Privacy Policy, you agree to allow Vanta to contact you via the email provided for marketing and other purposes