Category / Standard

GDPR Compliance: complete guide, articles and resources

General Data Protection Regulation — expert articles, practical resources, and solutions to structure your certification project.

Version
GDPR:Regulation (EU) 2016/679
Type
EU regulation (mandatory for organisations handling EU data)
Articles
0 published
Definition

What is the GDPR Compliance standard?

The GDPR (General Data Protection Regulation) is the EU regulation (EU) 2016/679 applicable since 25 May 2018. It defines the legal framework for processing personal data of EU residents, regardless of where the organisation processing them is based.

GDPR is built on fundamental principles: lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. It establishes individual rights (information, access, rectification, erasure, objection, portability, restriction).

GDPR applies extraterritorially: any US, UK, Canadian, or other non-EU company processing data of EU residents must comply. The ISO/IEC 27701 standard (privacy extension to ISO 27001) provides an auditable framework for demonstrating GDPR compliance. GDPR has also inspired similar laws (CCPA in California, LGPD in Brazil, PIPEDA in Canada).

Who is GDPR Compliance for?

GDPR applies to any organisation processing personal data of EU residents: companies, non-profits, government agencies, sole proprietors, public bodies — regardless of location. The regulation distinguishes between the data controller (who decides on purposes) and the data processor (who processes on behalf of the controller).

Why get certified?

GDPR compliance is mandatory with fines reaching 4% of global annual turnover or €20M (whichever is higher). Beyond compliance, it builds customer and partner trust, conditions market access (B2B contracts, public tenders), reduces breach and litigation risk, and structures data governance.

Version
GDPR:Regulation (EU) 2016/679
Certified
Mandatory when processing EU residents' data
Validity
Continuous compliance
Avg. timeline
6 to 12 months
Articles & guides

All our articles on GDPR Compliance

Articles coming soon. In the meantime, here is a selection from related standards.
Frequently asked questions

Everything you need to know about GDPR Compliance

Does GDPR apply to US companies?
Yes, GDPR applies extraterritorially. Any US company processing personal data of EU residents must comply — even without a physical EU presence. This is the case for any SaaS, e-commerce, or B2B company with European customers or users.
Is GDPR certifiable?
Not formally by EU data protection authorities. However, the ISO/IEC 27701 standard (privacy extension to ISO 27001) provides an auditable framework to demonstrate compliance. DPO certifications are also recognised by major authorities.
Who must appoint a Data Protection Officer (DPO)?
DPO appointment is mandatory in three cases: public authorities, core activities involving regular and systematic monitoring of individuals at large scale, and large-scale processing of sensitive data or criminal data. Voluntary DPO appointment is recommended for many other organisations.
What are the penalties for GDPR non-compliance?
Fines can reach 4% of annual global turnover or €20 million (whichever is higher). EU data protection authorities have issued fines of hundreds of millions of euros against major companies (Google, Meta, Amazon, TikTok).
How does GDPR compare to CCPA?
GDPR (EU) is broader in scope and stricter than CCPA (California Consumer Privacy Act). GDPR applies to all EU residents' data; CCPA applies to California residents only. Both cover similar rights (access, deletion, opt-out) but GDPR has stronger requirements on consent, data minimisation, and DPO appointment. A GDPR-compliant program covers most CCPA requirements.

Ready to start your GDPR Compliance project?

Download the documentation kit or speak with a consultant during a free 30-minute consultation.