The General Data Protection Regulation remains the most consequential data protection law in the world. Understanding GDPR requirements is not optional for any organisation that processes personal data of individuals in the European Economic Area. According to the DLA Piper GDPR Fines Survey, supervisory authorities across the EEA have imposed cumulative fines exceeding EUR 7 billion since the regulation took effect in May 2018.
This article sets out the core GDPR requirements that every organisation must satisfy, structured around the regulation’s main pillars. Whether you are building a compliance programme from scratch or auditing an existing one, these are the obligations that supervisory authorities expect you to meet.
What Are the Core GDPR Requirements?
The GDPR requirements are organised around binding principles codified in Article 5. These principles govern every processing activity and serve as the foundation for all specific obligations in the regulation. They include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Violating these principles triggers the highest penalty tier under the GDPR. For a detailed breakdown of each principle, see our data privacy principles guide.
Territorial scope
Before examining specific GDPR requirements, confirm that the regulation applies to your organisation. The GDPR covers any entity that processes personal data of individuals in the EEA, regardless of where the entity is established. A company based in the United States or Singapore that offers goods or services to EEA residents falls squarely within scope.
Lawful basis for processing
Every processing activity must rest on one of six legal bases defined in the GDPR. The most commonly relied upon are consent, contractual necessity, and legitimate interest. Choosing the wrong legal basis, or failing to document the choice, is one of the most frequent compliance failures.
Where you rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consents, and consent walls have all been ruled non-compliant. The EDPB Guidelines on consent remain the authoritative reference. For practical implementation guidance, see our valid GDPR consent guide.
Where you rely on legitimate interest, you must conduct and document a balancing test: identify the legitimate interest, demonstrate that processing is necessary to achieve it, and balance it against the rights and freedoms of data subjects. The ICO’s legitimate interests guidance provides a useful assessment template.
How Should Organisations Handle Data Subject Rights?
The GDPR grants individuals enforceable rights that organisations must facilitate. These include the right of access, rectification, erasure, restriction of processing, data portability, and objection. Organisations must also address rights related to automated decision-making and profiling.
Meeting these GDPR requirements demands operational readiness: documented procedures for receiving and processing each type of request, response timelines that comply with the one-month statutory deadline, identity verification measures, and the technical capacity to fulfil erasure and portability requests across all systems.
Supervisory authorities increasingly treat rights management as a litmus test for the maturity of an organisation’s compliance programme. Procedural failures in this area carry real financial consequences.
Data retention and storage limitation
Among the most overlooked GDPR requirements is the storage limitation principle. Organisations must not retain identifiable data longer than necessary for the stated processing purpose. This means defining and enforcing retention periods for each data category, supported by automated deletion or anonymisation processes. A documented retention schedule is not only a legal requirement but a practical risk mitigation measure.
Data Protection Impact Assessments
A Data Protection Impact Assessment is required before any processing that is likely to result in a high risk to individuals’ rights and freedoms. This includes large-scale profiling, systematic monitoring of public areas, and processing of special category data at scale.
The DPIA must describe the processing operations, assess their necessity and proportionality, evaluate the risks to data subjects, and identify mitigation measures. Failing to conduct a DPIA where one is required is itself a sanctionable violation, independent of whether any actual harm materialises.
Organisational Governance and Accountability
The accountability principle is the structural requirement that binds all other GDPR requirements together. Controllers must not merely comply with the regulation; they must be able to demonstrate compliance at any time and to any supervisory authority that requests evidence.
Role of the Data Protection Officer
The GDPR requires the appointment of a Data Protection Officer for public authorities and for organisations whose core activities involve large-scale systematic monitoring or processing of special category data. Even where not legally mandatory, appointing a DPO signals organisational commitment to compliance. The role and missions of the DPO carry specific independence and reporting guarantees that must be respected.
Privacy by design and by default. Privacy by design is a binding GDPR requirement, not a best practice. Data protection must be embedded into processing activities from the earliest design stage. This means applying data minimisation, pseudonymisation, and access controls as default settings rather than afterthoughts.
Security Measures and Breach Notification
The GDPR mandates appropriate technical and organisational security measures, calibrated to the risk level. Organisations must implement encryption of personal data in transit and at rest, access control policies with role-based permissions, regular vulnerability assessments, staff security awareness training, and a documented incident response plan.
When a breach occurs, notification to the supervisory authority is required within 72 hours of becoming aware of it, where the breach is likely to result in a risk to individuals’ rights. Direct communication to affected data subjects is required when the risk is high. Failure to notify within this window is independently sanctionable and has been the basis for enforcement actions across multiple jurisdictions. Our breach handling guide walks through the response protocol step by step.
Processor Obligations Under the GDPR
GDPR requirements do not apply only to controllers. Data processors have direct legal obligations under the regulation, including maintaining records of processing activities, implementing appropriate security measures, notifying the controller without undue delay upon becoming aware of a breach, and cooperating with supervisory authorities.
The relationship between controller and processor must be governed by a written contract that specifies the subject matter, duration, nature, and purpose of the processing, as well as the obligations and rights of each party. Supervisory authorities regularly sanction deficiencies in processor agreements and oversight failures.
What Practical Steps Should You Take First?
For organisations approaching GDPR requirements systematically, the starting point is a comprehensive GDPR compliance checklist. Prioritise the following actions:
- Map your data. Identify every category of personal data you process, the purposes, legal bases, recipients, and retention periods.
- Verify legal bases. Confirm that every processing activity rests on a documented, defensible legal basis.
- Establish rights procedures. Implement documented workflows for handling data subject requests within the one-month deadline.
- Appoint a DPO if required. Assess whether the mandatory appointment threshold applies and ensure the DPO has the independence and resources the regulation requires.
- Review processor agreements. Audit all contracts with processors to verify they include the mandatory clauses.
- Conduct DPIAs. Identify high-risk processing activities and complete impact assessments before processing begins.
- Prepare for breaches. Document an incident response plan and test it periodically.
Organisations using Legiscope can automate much of this workflow, from AI-driven gap analysis and automated ROPA generation to real-time compliance monitoring.
FAQ
What are the main GDPR requirements for small businesses?
The GDPR applies regardless of organisation size. Small businesses must comply with the same core requirements: establishing a lawful basis for processing, respecting data subject rights, implementing appropriate security measures, and maintaining records of processing activities. The obligation to appoint a DPO depends on the nature and scale of processing rather than company size, but all other fundamental requirements apply equally.
How quickly must a breach be reported under the GDPR?
Notification to the supervisory authority is required within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to individuals’ rights and freedoms. If the risk is high, affected individuals must also be notified directly and without undue delay.
Does the GDPR apply to organisations outside Europe?
Yes. The GDPR has extraterritorial reach. It applies to any organisation that processes personal data of individuals in the EEA, regardless of where the organisation is established, if the processing relates to offering goods or services to those individuals or monitoring their behaviour within the EEA.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
