A simple guide for GDPR compliance

What is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy legislation introduced and approved by the European Commision and European Parliament, which went into effect in May 2018.

The GDPR provides rules and guidance to both European and non-European companies that collect, share, and manage data of their European users. It gives EU residents the right to know what data is collected about them, and how it’s stored, protected, and transferred. The GDPR also includes the right to be forgotten and the right to access. That means customers can request to see the collected data and ask for it to be deleted.

Do I need to be GDPR-compliant?

All companies that collect data of users in the European Union, no matter where they are based, must comply with the GDPR. Non-compliance could result in hefty GDPR fines, which are up to €20 million or 4% of annual worldwide turnover, whichever is bigger.

Protecting your users’ personal information by meeting GDPR compliance standards will affect the whole company as most of your procedures may have to be revised and adapted. However, there are no clear rules that would apply to every single organization. How to protect data will depend on the type of data your company processes.

Some GDPR consultants say that there’s no such thing as being 100% GDPR-compliant and meeting GDPR requirements is more about reviewing your data handling and processing activities from an ethical standpoint, rather than ticking boxes on a checklist. A good starting point is going through the seven principles of the GDPR.

GDPR requirements

GDPR has significantly impacted data privacy and security practices around the world, including those of companies based in the United States. To better understand the GDPR compliance requirements, it is essential to understand the core principles and provisions of the regulation.

First and foremost, GDPR requirements for US companies are applicable if the company processes the personal data of EU residents, regardless of the company's physical location. In essence, any US-based organization that deals with data from individuals residing in the EU must adhere to GDPR regulations.

One of the key GDPR security requirements is ensuring the protection of personal data against unauthorized access, loss, alteration, or destruction. To meet this requirement, companies must implement appropriate technical and organizational measures, such as encryption, access controls, and routine security assessments.

Furthermore, GDPR requirements for US companies include appointing a Data Protection Officer (DPO) if the organization engages in large-scale processing of sensitive data or systematic monitoring of individuals. The DPO should be responsible for monitoring compliance with GDPR, as well as providing guidance on data protection matters, and acting as a point of contact with data protection authorities.

Additionally, US companies must be transparent about the collection, processing, and storage of personal data. This involves providing clear privacy notices, obtaining valid consent from data subjects, and allowing individuals to exercise their rights under GDPR, such as the right to access, rectify, or erase their data.

The seven principles of GDPR

The seven principles of GDPR are as follows:

  1. Lawfulness, fairness, and transparency. Data should be processed in a lawful, fair and transparent way.

  2. Purpose limitation and data minimization. Data should only be collected for specific and legitimate business purposes.

  3. Data minimization: The personal data collected should be limited to what is necessary for the purpose for which it was collected.

  4. Accuracy. All efforts, where necessary, should be made to keep the data up to date. If data is inaccurate or outdated — it should be deleted.

  5. Storage limitation. The data should only be stored for the amount of time needed to provide products or services. It can be kept longer only for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.

  6. Integrity and confidentiality. The company should do all they can to ensure the security of personal data. They should protect it from unlawful access such as data breaches, as well as accidental loss, destruction or damage.

  7. Accountability. Most companies are required to keep records of data processing and are required to present them to supervisory authorities then needed.

How to be GDPR-compliant

Please note that the following information should only be taken as a rough guide. It is intended for general information purposes only and does not constitute legal advice. The GDPR legislation consists of 11 chapters, 99 articles, and nearly two hundred recitals, so to fully comply with the GDPR, we suggest getting legal advice from your legal counsel or the supervisory authority.

  1. Review all your data handling procedures

    Sit down and draw a map of how your company collects data from start to finish of your customer journey. It should help to identify points that need closer inspection. For example:

    • You may need to review your mailing and emailing lists. If you do not have legitimate grounds for processing your customers' data for marketing or other purposes, you cannot use such personal data. See if it is useful to create segmented lists for your European customers.

    • You need to check if you have legitimate grounds (e.g., consent, legitimate interest) for processing personal data for all different data collection channels, including events, newsletter subscriptions, or even paid lists.

    • Review your future EU marketing campaigns that might aim to collect user data — you may need to adapt the processes.

    At this stage, it’s also advisable to appoint one person (or the whole team) in your marketing department to consult with lawyers who specialize in the GDPR. This person or team should work closely with a data protection officer (DPO) if the DPO is appointed in the company. They will be able to review and approve your marketing campaigns.

  2. Make your website GDPR-friendly.

    If you have a website, you’re no doubt collecting data in one way or the other. To make your website comply with the GDPR, you should consider:

    • Including a cookie consent. All web forms should have a cookie consent informing visitors on the type of data you collect and giving them an option to opt-in if they agree to such tracking.

    • Creating age-verification. If your visitors are younger than 16 (the age limit might be different in some EU countries), the GDPR requires their parental consent to collect data. Make sure to include such verification.

    • Update your data collection forms. These should state in an easy-to-understand language what data is being collected and for what purpose (a full list of what information needs to be presented to a user can be found in Articles 13 and 14 of the GDPR). If your company operates outside of the EU, you should also consider adding the “Country of residence” field, so you could separate your databases if needed.

  3. Update your current database

    It’s advisable to update your database regularly. You can do so by sending your customers an email with an option to choose what type of information they want to receive. Then it’s more likely your customers won’t unsubscribe altogether. Any correspondence should also include an “Unsubscribe” or “Update your preferences button.”

    Also, don’t contact users who have previously unsubscribed. It’s prohibited by the Privacy and Electronic Communications Directive.

  4. Be prepared for the worst

    One of the main aims of the GDPR is to make companies more transparent about their data processing activities, so you also need to update your privacy policy with all the changes you’ve implemented. Write it clearly and concisely. Your users should easily find information, including what data you collect, for what purpose, who you share it with and why, how it’s stored, how they can access that data, and how to request its deletion (you can find the full list of what your privacy policy must include in Articles 13 and 14 of the GDPR).

    Keep updating your privacy policy as and when you update your data processing practices. It’s also advisable to undertake regular privacy and security audits. Don’t keep anything in the dark. Inform your customers about any changes to your data processing techniques and any issues that may affect their privacy for better or for worse.

  5. Update your privacy policy

    In case of a breach, the GDPR requires reporting it within 72 hours (with some exceptions). Thus it’s a good idea to prepare a data breach plan and educate your employees on what to do in such circumstances. You should consider:

    • How your customer-facing employees should respond to customers.

    • How you will handle social media channels and will you have enough staff to respond to all messages.

    • What channels you will use to inform the affected parties, like your customers and vendors, if necessary.

    • How you will inform the media and what channels you will use to provide updates.

    • How you will communicate about the breach internally.

    • What procedures you have in place if your customers want to file complaints or get refunds.

    • How you will ensure that this doesn’t happen again.

What is the right to be forgotten?

The right to be forgotten is a groundbreaking legal innovation that allows individuals to request the removal of specific information about themselves from the internet. This compelling concept emerged from the European Union, and is enshrined in the GDPR as a fundamental right of EU citizens.

At its core, the right to be forgotten embodies the notion that people should have control over their personal data and the ability to leave their past behind.

While the right to be forgotten is not absolute, there are clear-cut cases in which it applies. If the information is no longer relevant, inaccurate, or has been processed unlawfully, individuals can submit a request for its removal.


While the CCPA and GDPR share a common aim of improving consumers' privacy rights the two simultaneously have a few key differences.

Firstly, the two regulations differ in their reach as laws. The GDPR is generally thought of as a regulation that has broader scope as it applies to all organizations that collect and store individuals’ data within the European Union (EU) and European Economic Area (EEA). In contrast, the CCPA (California Consumer Privacy Act) applies only to for-profit organizations that meet certain revenue and data volume criteria and collect data on California residents.

Secondly CCPA and GDPR differ in the way they approach user consent. The CCPA does not manage an explicit consent for data collections unless the user is a minor. The GDPR, on the other hand, requires explicit content for data collection.

Another notable difference between the two regulations is the type of laws that they are: GDPR is a regulatory law in nature, while CCPA is statutory. The simple takeaway here is that any violation of the CCPA can be used to file a civil lawsuit in the state of California, while GDPR has no direct impact on civil litigation, but can be incorporated into national laws.

Lastly, the enforcement and fines for non-compliance vary greatly. The GDPR is enforced by the EU and can impose penalties that go up to 20 million or 4% of annual global turnover, whichever is greater. California Attorney General is the institution that enforces the CCPA; non-compliance can cost up to CCPA $2,500 per violation and $7,500 per intentional violation.

Is NordPass GDPR compliant?

At NordPass, we take data protection and privacy seriously. As a secure and reliable solution for managing sensitive information, NordPass strives to be fully GDPR compliant.

Zero-knowledge architecture ensures all sensitive data is encrypted locally on your device before it reaches our servers. This means we have no access to your passwords or any other data your company might store in NordPass, ensuring maximum privacy.

We value transparency, providing a detailed privacy policy that outlines our data processing practices, including data types collected, collection purposes, and security measures in place.

Furthermore, our robust security measures include multi-factor authentication (MFA) and biometric authentication, adding an extra layer of protection.

In the rare event of a data breach, we're dedicated to promptly informing affected users and relevant authorities, as required by GDPR regulations.

Remember, GDPR isn’t a one-off project and you shouldn’t treat it as such. It is about continuously working on improving your company’s privacy and security standards.

Choose NordPass for a dependable and transparent password management experience that will help you stay in line with compliance policies and mitigate the risk of data breaches.