What is the general data protection regulation?
The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union to protect the personal data of EU citizens and harmonize data protection regulations across member states. It became enforceable on May 25, 2018.
Even organizations based outside the EU must comply if they process or store data belonging to EU residents. Violations can result in significant penalties—up to €20 million or 4% of annual global revenue, whichever is higher.
Key requirements of the GDPR
The GDPR outlines several core requirements that organizations must follow to protect the personal data of EU citizens. These principles help ensure privacy, transparency, and accountability in how data is collected, stored, and processed.
Privacy by design
The GDPR requires that privacy be built into systems by default, not added as an afterthought. Known as Privacy by Design, this principle mandates that data protection considerations are embedded into processes, tools, and technologies from the start. This includes implementing strong data security practices to protect personal data such as names, email addresses, IP addresses, and medical or financial details.
Data custodianship
Organizations are expected to practice responsible data custodianship—meaning they should only collect and retain the personal data they need, for as long as it's required. Once the data is no longer necessary, it must be deleted or anonymized. This reduces unnecessary risk exposure and aligns with GDPR’s emphasis on minimizing data processing.
Right to erasure
Also known as the “right to be forgotten,” this requirement allows individuals to request deletion of their personal data under certain circumstances—such as withdrawal of consent or suspected non-compliance. Organizations must also offer an easy and transparent way for users to withdraw consent, which must be as simple as giving it in the first place.
Breach notification requirements
Under the GDPR, organizations must notify the appropriate Supervisory Authority of a data breach involving personal data within 72 hours of discovery. If the breach poses a high risk to individuals’ rights and freedoms, affected users must also be informed. This requirement ensures timely response and transparency in the event of an incident.
Steps to GDPR compliance
Achieving GDPR compliance requires more than a one-time checklist—it involves understanding your data landscape, evaluating controls, and preparing to respond to incidents. Here are three essential steps to help guide your organization toward compliance.
Map your data and access scope
Start by gaining visibility into the personal data your organization collects and stores. Understand what data you have, where it resides, who has access to it, and why it's being collected—then enforce access policies using identity and access management (IAM) tools. This foundational step allows you to enforce access restrictions, reduce unnecessary data exposure, and support broader exposure management by identifying and minimizing where personal data may be at risk.
Assess your security controls and programs
Evaluate the effectiveness of your current security measures—not just your technology, but also your people and processes. Regularly scan for vulnerabilities, test controls, and identify weak points that may expose personal data—aligning your efforts with a broader cybersecurity risk management strategy. This is also a good time to align your security posture with other compliance frameworks your organization may follow.
Establish and test breach notification processes
The GDPR requires organizations to notify authorities of qualifying data breaches within 72 hours. To meet this requirement, develop a formal breach notification plan that includes incident response workflows, threat detection capabilities, and internal communication procedures. Run tabletop exercises to ensure your teams are prepared to act quickly and accurately in a real event.