Instant downloadAuditor-writtenSecure Stripe checkout
GDPR Compliance: Best Practices Guide 2026 — ISO Toolkits

GDPR Compliance: Best Practices Guide 2026

GDPR compliance means meeting the obligations of the EU General Data Protection Regulation (EU Regulation 2016/679), which has applied across the European Union since 25 May 2018. If your organisation collects, stores, or otherwise processes the personal data of people in the EU, the Regulation sets out how you must do it lawfully, fairly, and transparently — and what can go wrong if you do not. This guide explains the core principles, lawful bases, individual rights, and practical steps that underpin a defensible compliance programme.

This article is general guidance only and is not legal advice.

What GDPR compliance actually means

GDPR compliance is not a single certificate you obtain once. It is an ongoing state in which your data processing activities align with the Regulation’s principles and you can demonstrate that alignment on request. The GDPR applies to organisations established in the EU, and also to organisations outside the EU that offer goods or services to, or monitor the behaviour of, individuals in the EU.

Two roles sit at the centre of the framework. A controller determines the purposes and means of processing personal data. A processor processes personal data on the controller’s behalf. Your obligations differ depending on which role you hold, and many organisations act as both across different activities.

The core principles behind GDPR compliance

Every processing activity should be traceable back to the Regulation’s principles. These are the foundation on which the rest of your programme is built:

  • Lawfulness, fairness and transparency — process data on a valid legal basis and tell people clearly what you do.
  • Purpose limitation — collect data for specified, explicit purposes and do not reuse it in incompatible ways.
  • Data minimisation — collect only what is adequate, relevant, and necessary.
  • Accuracy — keep personal data accurate and up to date.
  • Storage limitation — keep data in identifiable form no longer than needed.
  • Integrity and confidentiality — protect data with appropriate security measures.
  • Accountability — be able to demonstrate compliance with all of the above.

Accountability is the principle that turns good intentions into evidence. Supervisory authorities expect documented policies, records, and decisions — not verbal assurances.

The six lawful bases for processing

You cannot process personal data without a lawful basis. The GDPR provides six, and you must identify the correct one before processing begins. The table below summarises them.

Lawful basisWhen it typically applies
ConsentThe individual has given clear, freely given, specific, informed agreement.
ContractProcessing is necessary to perform a contract with the individual, or to take steps before entering one.
Legal obligationProcessing is necessary to comply with the law (excluding contractual obligations).
Vital interestsProcessing is necessary to protect someone’s life.
Public taskProcessing is necessary for a task in the public interest or official authority.
Legitimate interestsProcessing is necessary for your legitimate interests, balanced against the individual’s rights.

Consent carries particular conditions: it must be as easy to withdraw as to give, and it cannot be bundled or assumed from silence. Where you rely on legitimate interests, a documented balancing assessment is expected.

Data subject rights you must be able to honour

The GDPR gives individuals a set of enforceable rights over their personal data. A compliant organisation has processes to recognise a request, verify identity, and respond within the Regulation’s timeframes. The rights include:

  • Right of access — to obtain confirmation and a copy of their personal data.
  • Right to rectification — to have inaccurate data corrected.
  • Right to erasure — the “right to be forgotten,” in defined circumstances.
  • Right to restriction — to limit how their data is used.
  • Right to data portability — to receive data in a structured, commonly used, machine-readable format.
  • Right to object — including to direct marketing and certain processing.
  • Rights around automated decision-making — including profiling that produces legal or similarly significant effects.

These rights are not absolute; several carry exemptions and conditions. The point of compliance is knowing when a right applies and being able to act on it consistently.

Building a GDPR compliance programme step by step

Achieving GDPR compliance is a practical exercise. The following steps map the Regulation’s requirements onto an operational programme.

1. Map your data and keep records of processing

Know what personal data you hold, where it came from, why you have it, who you share it with, and how long you keep it. Records of processing activities are a formal requirement for many organisations and the backbone of accountability.

2. Confirm a lawful basis for each activity

Assign one of the six bases to every processing purpose, and document it. Where you rely on consent, ensure your consent mechanisms meet the standard.

3. Update transparency notices

Privacy notices must tell individuals, in plain language, who you are, what you do with their data, the lawful basis, retention periods, and how to exercise their rights.

4. Run DPIAs where risk is high

A Data Protection Impact Assessment (DPIA) is required where processing is likely to result in a high risk to individuals — for example, large-scale monitoring or systematic profiling. A DPIA identifies and mitigates risk before processing starts.

5. Manage processors with proper contracts

When you use a processor, a written agreement setting out the required terms is mandatory. This governs how the processor may handle data on your behalf.

6. Prepare for breaches

Have a documented incident process so you can notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach that meets the threshold. High-risk breaches may also require notifying affected individuals.

7. Appoint a DPO where required

A Data Protection Officer must be appointed in certain cases, such as large-scale monitoring or processing of special category data. Even where not mandatory, a clear owner for data protection strengthens accountability.

Governance, roles, and ongoing accountability

Sustained GDPR compliance depends on governance that does not lapse once the initial project ends. Assign ownership, train staff who handle personal data, review retention schedules, and re-run DPIAs when processing changes materially. Treat vendor onboarding, new product features, and marketing campaigns as triggers to reassess your data protection position.

The authoritative text of the Regulation, including recitals that aid interpretation, is available from the GDPR information portal. For binding interpretation in specific situations, consult your competent supervisory authority or qualified counsel.

What non-compliance can cost

Enforcement has real teeth. For the most serious infringements, fines can reach up to 20 million euro or 4% of total worldwide annual turnover for the preceding financial year, whichever is higher. Beyond fines, organisations face corrective orders, reputational damage, and loss of customer trust. Demonstrable, well-documented compliance is also your best defence if a complaint or investigation arises.

Frequently asked questions

Who does the GDPR apply to?

It applies to organisations established in the EU that process personal data, and to organisations outside the EU that offer goods or services to, or monitor the behaviour of, individuals in the EU — regardless of where the organisation is based.

Is GDPR compliance a one-time task?

No. It is an ongoing state. You must maintain records, review processing activities, respond to rights requests, and reassess risk whenever your data practices change.

What is the difference between a controller and a processor?

A controller decides why and how personal data is processed. A processor acts on the controller’s instructions. Controllers carry the primary accountability, but processors have direct obligations too.

How quickly must a data breach be reported?

Where a personal data breach meets the notification threshold, the controller should notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it.

Do we always need a Data Protection Officer?

Not always. A DPO is mandatory in specific circumstances, such as large-scale systematic monitoring or large-scale processing of special category data. Many organisations appoint one voluntarily to strengthen governance.

Does consent cover every kind of processing?

No. Consent is only one of six lawful bases. In many cases another basis — such as contract, legal obligation, or legitimate interests — is more appropriate. You should choose the basis that genuinely fits the activity.

GDPR compliance toolkit templates
The editable GDPR Toolkit — policies, RoPA, DPIA forms and processor agreements.

Related guides

Ready to move faster? Our editable GDPR (EU Regulation 2016/679) toolkit gives you the policies, records templates, DPIA forms, and processor agreements you need to build a defensible programme. Explore the GDPR toolkit and turn these requirements into ready-to-use documents.

Shopping Cart