10 GDPR Requirements You Must Know In 2024

10 GDPR Requirements You Must Know In 2024  

The General Data Protection Regulation (GDPR) isn’t just a compliance framework to help you protect personal data – it’s the law. Adhering to GDPR requirements is an essential aspect of keeping your employees, clients, and customers safe. Here are 10 essential requirements you must know to stay on the right side of GDPR in 2024.  


The current GDPR framework came into effect in the EU in 2018. It promotes lawfulness, transparency, and fairness of data collection and processing, as well as ensuring confidentiality for your clients, and your organisation’s accountability in these processes.  

According to CMS law firm’s Enforcement Tracker Report, 2,054,277,662 worth of fines have been issued for GDPR violations during 2023, more than any other year since GDPR was put into practice.   

Complying with GDPR requirements is essential to avoid these hefty penalties. Additionally, and on a lighter note, GDPR compliance helps solidify your organisation as a trustworthy and reliable choice for clients and customers.  

If you’re struggling with GDPR compliance or are starting a business, this list contains the most essential GDPR requirements that you should be aware of. We’ve also included some guidance to help you get started.  

Remember, if you need any assistance or clarification, Compleye is always here to help 

10 Essential GDPR Requirements  


1. Data Protection Officer (DPO) Appointment 


A DPO will assist with compliance, inform and guide employees and management on data protection, assist with Data Protection Impact Assessments, and keep in contact with public bodies and data subjects.


GDPR requirements concerning DPOs can be found in Article 37. These state that an organisation must appoint a DPO if it processes data on a large scale or if it uses that data to monitor individuals.  

To find out whether your organisation requires a DPO, you should: 

  • Consider the nature of your organisation and the industry you operate in  
  • Evaluate your data processing activities  
  • Determine the scale of your data processing 
  • Assess how you use data to monitor, profile and keep track of individuals  
  • Check with local regulatory bodies  
  • Document your assessments  
  • In certain cases you assign a Privacy Officer in your team 
  • Reach out to Compleye for expert help 

2. Lawful Basis and Record of Processing Activities 


GDPR requirements, set out in Article 6, mandate that your organisation must have a recognised reason to process personal data. There are 6 lawful bases for processing personal data: 

  • Consent 
  • Contract 
  • Legal obligation 
  • Vital interests 
  • Public task 
  • Legitimate interests 

 The legal basis you have will depend on your organisation and the context of your data collection and processing. You may need to select more than one. 

Record of Processing Activities  

Article 30 outlines that your organisation’s lawful basis for data collection and processing must be documented in the Record of Processing Activities (ROPA).   

Your ROPA includes the contact details of your DPO, the categories of individuals whose data you collect and the kind of data you collect from them, the purposes of and lawful basis for data processing, data retention schedules, categories of those who receive personal data, records of transfers to third countries and the safeguards in place when doing so.  


3. Consent and Consent Management  


Remember we mentioned that GDPR compliance makes your customers feel more comfortable sharing their data with you? Well, in 2019, DMA found that 62% of consumers in the UK feel more comfortable about sharing their data with organisations because of GDPR. This is largely due to some of the most important GDPR requirements that pertain to the consent of data subjects.  


According to Articles 7 and 32, your organisation must gain consent from every individual whose data you intend to collect and process. Consent must be: 


Freely given – Data subjects must be given a choice as to whether you can process their data, with the option to decline. Consent must be given voluntarily.  


InformedData subjects must be made aware of what data you will collect, how you intend to use their data, and how they can withdraw their consent. These must be shared using plain language.  


Specific – Data subjects should be made aware of your specific data processing intentions depending on how they interact with your organisation. They should be given the option, if possible, to consent to different kinds of data processing.  


Unambiguous – Your organisation should make it as easy as possible for data subjects to make their choice. A clear ‘yes’ or ‘no’ is best. Do not use opt-out options.  


Your organisation will need to document who has consented, how and when they consented, and exactly what they consented to. If your purposes for collecting data or  intentions for data processing change, consent should be renewed.  


Generally, children 16 and under cannot consent to the collection and processing of their data. In these cases, you should seek their parents’ or guardians’ consent with a Parental Consent Form.  


4. Data Subject Rights 


GDPR requirements under Article 15 state that your business must adhere to the inherent rights of data subjects. These include: 


Right of access – Subjects can view the data you have collected 


Right to rectification – Subjects can correct any mistaken data you hold 


Right to erasure – Subjects can have their data erased and be ‘forgotten’ from your data storage systems 


Right to restriction of processing – Subjects can request that you collect and store data but not process it 


Right to data portability – Subjects maintain ownership of their data and can use it as they like 


Right to object – Subjects can object to the processing of their data and withdraw consent 


Data subjects can invoke these rights by making a Subject Access Request to your DPO or controller. You must reply to requests within a month and clearly state a timeline for compliance or valid reasons for non-compliance.  


For Compleye’s expert advice on GDPR rights and how to incorporate them into your policies, check out our post here 


5. Data Minimisation – Privacy by design 


A significant principle of GDPR compliance is data minimisation. As you may be able to guess, this means your organisation should minimise the amount of data it collects from individuals. Your engineering team can adopt Privacy by design to ensure data minimisation 


You should only collect types of data that are necessary to your processing aims, and you should be able to prove that the data you’re collecting is relevant to these aims. Additionally, you should regularly review the data you hold and erase what you no longer need.  

 6. Data Protection Impact Assessments (DPIAs)  


Conducting DPIAs is among the most important GDPR requirements. If you intend to process data in a way that may infringe on the rights and freedoms of your data subjects, you will need to carry out a DPIA before you begin to process data.  


For example, if you intend to systematically monitor individuals using sensitive data like biometric information or criminal records, your data controller will need to conduct a DPIA. You should store your DPIA internally, but be prepared to share it with regulatory bodies if a request is made. More info about DPIAs can be found in GDPR Article 35.  


DPIAs describe your processing intentions, assess the necessity of the processing, explain how you will apply data minimisation, describe and qualify any risks, put controls in place to mitigate these risks, and document the advice of your DPO if you have one.  


7. Security Measures  


A 2020 report by RSM found that 52% of board members surveyed believed GDPR had led to increased investment in their organisation’s cybersecurity. This is because GDPR also mandates that data should be protected from destruction, loss or theft. 


Determine what security measures your organisation will need to put in place and document these in an Information Security Policy. These security measures may be:  

  • Pseudonymisatio 
  • Data encryption  
  • Firewalls 
  • Access controls  
  • Authentication mechanisms  
  • Confidentiality and processing training  


You should conduct regular security audits to check the resilience of your data storage and processing systems. You will also need to make sure that data is retrievable and accessible following a breach. You can find out more in GDPR Article 32.  

Data Transfers  

Your organisation can transfer data to a third country or another organisation so long as appropriate safeguards are in place. You will need to ensure, preferably contractually, that the receiving organisation does not infringe on the rights of your data subjects.  

Transferred data must be stored correctly and for a minimum amount of time, and no unnecessary data should be processed. Finally, you must inform subjects of any organisations with whom you have shared their data and why.  


Here’s a little more information about GDPR and privacy from Compleye’s compliance team 


8. Notification of Data Breaches 


Following on from GDPR requirements concerning data security, the framework also mandates that any breach of data resulting in a risk to the rights and freedoms of data subjects be reported to a relevant body, usually within 72 hours. 


GDPR Article 4 defines a data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” 


According to Article 33, your Data Breach Notification Form to the Supervisory Authority should include:  

  • The type of breach (destruction, alteration, loss etc.) 
  • The approximate number of subjects affected 
  • The categories of data affected  
  • The consequences, both apparent and assumed, of the data breach  
  • Measures taken to mitigate the consequences  
  • Measures taken to restore access to data 
  • The contact details of your DPO 
  • Reasons for any delays in notification (if applicable)  

If you have determined that the data breach could affect the rights and freedoms of your data subjects, notify those individuals of the breach and your subsequent mitigating measures as soon as possible with a Data Breach Notification Form to Data Subjects.  


9. Employee Training  


Although there is no explicit requirement within the GDPR compliance framework for employee training, compliance is made much easier with informed employees.  


Employee GDPR training should cover:  

  • Current standards for data protection  
  • Data Subject Rights  
  • Where and how data is stored  
  • Who can access data and when 
  • How to handle requests for information 
  • Data Breach Response Procedures 
  • Any other internal GDPR compliance processes   
  • How employees can reach out to controllers or a DPO 

Employee training should be given to new starters before they begin working with subjects’ data, and refreshers should be given at least annually.  


10. Other Documentation  


Aside from the documents already mentioned in this article, there are several other documents your organisation will need to create, maintain, review and update when necessary. These include but are not limited to:  

  • Personal Data Protection Policy 
  • Data Retention Policy 
  • Supplier Data Processing Agreement 
  • Privacy Notice  
  • Employee Privacy Notice 

Many of these documents will be shared with your data subjects, so ensure they’re written in plain language.  


Need help with creating compliant GDPR documentation? Compleye is here to advise and help you revise. Check out our GDPR package for more information.  


In Conclusion…  


GDPR is a comprehensive yet complex legal framework. As a result, compliance means adhering to a variety of equally comprehensive yet complex requirements.  


With the simplifications of the most important GDPR requirements listed above, you can get to work understanding GDPR and implementing measures to adhere to the regulation.  


GDPR compliance takes time, effort, resources, money, and a commitment from all employees in your organisation and third parties you work with. But, compared to the penalties your organisation can face for non-compliance, it’s definitely worth it.  

Table of Contents

Compliance Platform for Tech Companies

All-in-One DIY Compliance Platform to help tech businesses towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?