GDPR compliance requirements guide: What GRC managers need to know

In 2016, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. The governing body gave companies two years of leeway to prepare policies and processes, and as of May 25, 2018, this corporate consideration gave way to compliance.

Today, failure to comply with GDPR can cost companies 4% of their global revenue, or €20 million, whichever is higher. Since the EU began enforcing regulations and collecting fines, companies have paid more than €6 billion.

To reduce risk and avoid fines, governance, risk, and compliance (GRC) managers need to understand GDPR basics, identify key requirements, navigate common challenges, and create practical processes to operationalize GDPR compliance.

Not sure where to start? We’ve got you covered with our 2025 GDPR compliance guide.

What is GDPR, and who must comply?

According to the official EU webpage, GDPR “is the toughest privacy and security law in the world.” In part, this is because of its global scope. Any company that stores or uses the data of EU citizens, regardless of where they are headquartered or where they operate, is subject to GDPR requirements.

This means that a non-EU entity that collects data from EU citizens, such as email or IP addresses, is subject to GDPR. International agreements facilitate this extra-territorial jurisdiction. One recent example is Meta, which was fined €1.2 billion for a May 2023 breach of data transfer policies. The company was further ordered to bring its processes in line with GDPR expectations.

Core principles

GDPR lists seven data protection principles:

1. Lawfulness, fairness, and transparency. All processing of personal data must be fair, lawful, and transparent. Individuals who have their data processed have the right to see how it is processed and ensure that processing does not violate any data privacy laws or create potential bias.
2. Purpose limitation. Data may only be processed for the purpose stated at the time of collection.
3. Data minimization. Companies should use the minimum amount of data required to accomplish the stated purpose.
4. Accuracy. If you process personal data, records must be kept accurate and up to date.
5. Storage limitation. Data may be stored only for as long as required to complete the specified purpose.
6. Integrity and confidentiality. All data processing activities must be done in a way that ensures data security and integrity. Common security measures include data encryption or multi-factor authentication (MFA).
7. Accountability. Data controllers must demonstrate compliance with all of these principles.

Scope of applicability

Any company that collects, stores, or processes the data from citizens or residents of EU countries must comply with GDPR.

It does not matter where the company is located or where the data is processed. If the data comes from an EU citizen or resident, the business is subject to GDPR. Common examples include the international sale of goods and services or the monitoring of user behavior.

Consider a US company that offers the ability to display prices in euros and ships to countries such as Germany, France, or other EU member states. This meets the criteria of GDPR applicability. The regulation is also applicable to businesses that collect information such as email addresses for marketing newsletters or sales offers.

It’s also important to note that GDPR applies to both data controllers and data processors. Data controllers may be employees or owners of a business who decide how information will be processed. Data processors, meanwhile, are third-party organizations that process data on behalf of controllers and are governed by a different set of GDPR rules.

There are two relevant exceptions to the GDPR rules. First are personal activities. For instance, if you go on a trip to Europe, make friends, and later email them about a potential meetup in the US, you’re not subject to GDPR. Secondly, organizations with fewer than 250 employees are exempt from GDPR obligations.

Key requirements GRC managers need to address

To ensure GDPR policies align with regulatory expectations, GRC managers must comply with data subject rights and ensure data meets the legal requirements for processing.

Data subject rights

Data subject rights include:

• Consent. Explicit consent for data collection is required. It must be “freely given, specific, informed, and unambiguous.”
• Clarity. Any request for consent must be distinguishable from other requests and presented in plain language. This means consent requests can’t be part of other requests or concealed by technical or legal jargon.
• Withdrawal. Individuals can withdraw their consent for data processing at any time. Individuals also have the right to erasure and the right to data portability — they can ask companies to erase provided data or ask to have their data moved somewhere else.
• Amendment. If you change the legal basis for data processing, you must inform individuals and re-acquire their consent.
• Documentation. Evidence of consent must be documented for all processing of personal data.

Legal basis for processing

There are six legal reasons to process data under GDPR.

1. Unambiguous consent. This is clear consent for a specific purpose, such as signing up for a marketing email or newsletter.
2. Contract completion. This basis is used in the case of legal contracts that must be drafted or completed, such as those for bank loans or mortgages.
3. Legal obligations. This basis applies when companies receive an order from courts or other public authorities that have the authority to request specific data.
4. Life-saving measures. Using data without consent is permissible if the use of this data will save someone’s life. For example, if an individual is brought to the hospital unconscious and in serious condition after a car crash, medical teams can access their health data without consent.
5. Public interest. Public interest applies if your company provides services for the public good, such as using healthcare data to reduce the risk of widespread contamination or infection.
6. Legitimate interest. Legitimate interest is a catch-all lawful basis that helps cover cases that don’t clearly fit under the other six headings. One example is a retail store using CCTV to help limit the risk of shoplifting or other crimes. So long as this data is not sold to third parties, it likely falls under the category of legitimate interest.

Challenges in meeting GDPR obligations

While GDPR is clear about business obligations, how those obligations are met is largely left up to companies. This creates potential challenges, such as:

Data mapping

Data silos and multiple data sources can cause visibility issues. For example, if marketing and sales teams use databases that are not easily accessible by other departments, the result may be the collection of EU resident data without the knowledge of GRC managers.

This can lead to blind spots in compliance. Consider a company that receives complaints due to unclear consent practices. If GRC managers can’t access collected data due to data silos or can’t easily track data across multiple sources, the result may be unintentional non-compliance. Ignorance of the law, however, is no excuse, meaning companies could be fined even if they’re not aware of any issues.

Manual processes

Manual processes are also problematic. For example, if data is collected and recorded using manual, labor-intensive operations, companies face two challenges: errors and inefficiencies.

Simple data-entry errors, such as not recording when and how content was given, could lead to monetary fines. The process of manually sorting through data for evidence of consent or proof of legal basis, meanwhile, could require hours or days of work, time that could be better spent on other business objectives.

How to operationalize GDPR compliance

It’s one thing to understand the scope of GDPR and its potential penalties; it’s another to put compliance into practice. To operationalize GDPR, start with workflows and training.

Building workflows

GDPR compliant workflows must be centralized and streamlined.

Two components are necessary to build these workflows:

• Tools that support GDPR compliance. Companies need platforms capable of centralizing data storage and access. In most cases, this takes the form of software-as-a-service (SaaS) solutions capable of connecting with local stacks, private cloud, and public resources. These platforms allow GRC managers and their teams to better track and record collected data.
• Automation. The evolution of artificial intelligence (AI) tools has laid the groundwork for tools that don’t just automate the collection of data but can intelligently separate and classify this data in alignment with compliance expectations. In addition, these tools should provide automatic breach notification if customer data is compromised.

To help manage compliance, many companies hire data protection officers (DPOs). While this is not a requirement for data privacy and processing activities, it can streamline the compliance process.

Training and governance

GDPR compliance doesn’t happen by accident. To ensure your teams are prepared to handle regulatory expectations, both training and governance are required.

Training should be mandatory and company wide. Staff should be regularly trained in how to collect and use data and given clear expectations about documentation and reporting. It’s also important to note that training itself is not enough. Companies must also create corporate cultures that support GDPR compliance. This means providing the time and resources necessary for staff to manage collected data and encouraging employees to reach out with any questions or concerns.

Governance comes next. This is the province of GRC managers and their teams. Solid governance details how data is stored, who has access to this data, and under what circumstances. Governance policies should be regularly reviewed and updated to ensure ongoing compliance.

How AuditBoard supports GDPR compliance

If your company is audited or receives a complaint, you must be able to demonstrate where, when, how, and why sensitive personal data was collected. AuditBoard can help streamline this process.

Automated evidence tracking

If your organization is audited or receives a complaint about data use, you must be prepared to respond with evidence. This evidence is in the data. The AuditBoard platform automates the evidence collection, tracking and review process, making it easier for GRC managers to find, capture, and report proof of compliance.

Continuous monitoring

Manually auditing your data privacy controls via sampling can be time-intensive and provide limited assurance. Empower teams to stay ahead of control failures with continuous monitoring. AuditBoard Accelerate automatically runs full population testing at any schedule: Pull in data directly from your systems; clean, transform and test your data; send alerts when findings are identified; and track your control performance in real time.

Reporting and dashboards

Data isn’t inherently audit-ready. Customizable, role-based, ready-to-use dashboards from AuditBoard let you see your compliance against GDPR requirements live, surface any issues, and comply with GDPR reporting expectations.

GDPR compliance: Staying the course

It’s also worth remembering that GDPR requirements are constantly evolving. For example, the European Commission published a proposal in May 2025 that would amend GDPR to raise the compliance threshold from companies with 250 employees to companies with 750 employees. In addition, the Commission recommended changes that will not trigger record-keeping obligations for employers that collect special types of data (i.e., employee health data) in an employment context.

Bottom line? If your business collects, processes, or stores the data of any EU citizen or resident, you are likely to be subject to GDPR. While you may be exempt because of your company’s size, similar laws such as California’s CCPA and Brazil’s LGPD, along with other obligations such as those under HIPAA, SOC 2, and SOX, may apply. As a result, GRC managers are best served by creating and implementing policies and processes that ensure alignment with GDPR requirements.

Support your GDPR program by automating compliance, optimizing risk alignment, and increasing visibility for all three lines of defence. Discover how AuditBoard helps compliance teams stay ahead of evolving compliance expectations. Request a demo today.