Skip to content

What are the 7 GDPR requirements?

Explore some of our latest AI related thought leadership and research

6clicks has been built for cybersecurity, risk and compliance professionals.

Learn more about our Hub & Spoke architecture, Hailey AI engine and explore the other content in our platform here

Developing responsible AI management systems through the ISO/IEC 42001 standard

Using artificial intelligence has propelled global economic growth and enriched different aspects of our lives. However, its ever-evolving nature and...

Incorporating Generative AI into Cybersecurity: Opportunities, Risks, and Future Outlook

Key Takeaways Generative AI is a branch of artificial intelligence that focuses on creating new content with human-like creativity. The rise of...

Understanding RAG: Retrieval-Augmented Generation Explained

Natural Language Processing (NLP) has come a long way in the past few decades. With the goal of enabling more efficient communication between humans...

Responsible AI is here to stay

Artificial Intelligence (AI) and Machine Learning (ML) continue to be a much talked about topic since the release of ChatGPT last year but also well...

Responsible AI in risk management: Diving into NIST’s AI Risk Management Framework

Artificial intelligence has since changed the way we use technology and interact with organizations and systems. AI solutions such as automation and...

The Imperative of Governance to Achieving Responsible AI

AI brings many opportunities to businesses and we can see the AI boom across different industry verticals. However, it also questions who would be...


Overview of GDPR requirements

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that was implemented in May 2018 to harmonize and strengthen the protection of personal data within the European Union (EU). It applies to all organizations that process personal data of EU residents, regardless of their location. The GDPR imposes seven key requirements that organizations must adhere to in order to comply with the regulation. These requirements include having a lawful basis for processing personal data, ensuring transparency and providing individuals with easily understandable privacy policies, collecting and processing data only for specific and legitimate purposes, implementing measures to ensure data accuracy and storage limitation, protecting personal data through appropriate security measures, and being accountable for compliance by establishing organizational measures and conducting regular data protection impact assessments. By fulfilling these requirements, organizations can ensure they are operating in accordance with the core principles of the GDPR and protecting the rights and freedoms of individuals.

Legitimate purposes

Legitimate purposes form a crucial aspect of the General Data Protection Regulation (GDPR) requirements, serving as a key principle for organizations that collect and use personal data. Under the GDPR, organizations must have a lawful basis to process personal data, and one such basis is legitimate purposes.

Legitimate purposes encompass the justifiable reasons for businesses to handle personal data. It allows organizations to process personal data as long as it is necessary for a specific purpose and aligns with the rights and freedoms of individuals. This principle prevents unlawful processing and ensures that personal data is not used in a way that unjustifiably intrudes upon the privacy of individuals.

Examples of legitimate purposes include:

  1. Fulfilling contractual obligations: Organizations may collect and use personal data to fulfill the terms of a contract with an individual.
  2. Compliance with legal obligations: Processing personal data may be necessary for organizations to comply with legal requirements imposed upon them.
  3. Protecting vital interests: Personal data processing may be justified to protect someone's life or ensure their physical safety.
  4. Conducting statistical or historical research: Organizations may process personal data for research purposes as long as the data is anonymized or pseudonymized.
  5. Marketing and advertising: Organizations can process personal data for marketing and advertising purposes if it is done in a way that respects individual rights and interests.

By adhering to the key principle of legitimate purposes, organizations can ensure that they have a lawful basis for collecting and using personal data while respecting the privacy and rights of individuals.

Unlawful processing

Unlawful processing is a key concept under the General Data Protection Regulation (GDPR), which governs the processing of personal data. It states that personal data can only be processed if there is a lawful basis for doing so. This means that organizations must have a valid reason and meet specific requirements in order to lawfully process personal data.

The GDPR defines six legal bases for processing personal data, as outlined in Article 6. These include:

  1. Consent: The individual has given their clear and explicit consent for their personal data to be processed.
  2. Contractual necessity: Processing is necessary for the performance of a contract with the individual or to take steps at their request prior to entering into a contract.
  3. Legal obligation: Processing is necessary to comply with a legal obligation imposed on the organization.
  4. Vital interests: Processing is necessary to protect someone's life or physical safety.
  5. Public task: Processing is necessary to perform a task carried out in the public interest or in the exercise of official authority.
  6. Legitimate interests: Processing is necessary for the legitimate interests pursued by the organization or a third party, unless overridden by the individual's rights and interests.

In addition to these legal bases, special category data, as defined in Article 9, requires an additional legal basis. Special category data includes sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. For processing special category data, organizations must rely on one of the specified conditions outlined in Article 9.

Ensuring lawful processing of personal data is crucial for organizations to comply with the GDPR and protect the privacy rights of individuals. By understanding and adhering to the legal bases, organizations can avoid engaging in unlawful processing activities and maintain the trust of their customers and stakeholders.

Statistical purposes

Statistical purposes play a significant role in the collection and processing of personal data under the GDPR. The concept refers to the use of data for statistical analysis, research, or generating aggregated information that does not directly identify individuals. The aim is to gain insights and knowledge about patterns, behaviors, or trends within a specific population or group.

When it comes to collecting and processing personal data for statistical purposes, organizations must adhere to certain rules and guidelines. Firstly, the data collected must be anonymized or pseudonymized to prevent the identification of individuals. This ensures that individuals' privacy and confidentiality are protected.

Secondly, organizations must have a lawful basis for processing personal data for statistical purposes. This can be based on the legitimate interests pursued by the organization or a third party, public interest, or compliance with a legal obligation. It is essential to assess the balance between the organization's interests and the rights and freedoms of individuals.

Additionally, organizations must apply security measures to protect the personal data used for statistical purposes from unauthorized access, loss, or destruction. They must also comply with the principles of data minimization and storage limitation, ensuring that only the necessary data is collected and retained for statistical analysis.

Lastly, organizations should consider conducting a data protection impact assessment (DPIA) when processing personal data for statistical purposes in certain cases where the processing is likely to result in high risks to individuals. This assessment helps identify and mitigate potential privacy risks associated with the data processing activities.

Historical research purposes

Historical research purposes, as defined by the General Data Protection Regulation (GDPR), refer to the lawful and legitimate processing of personal data for historical, statistical, or scientific research purposes. This category allows organizations to collect and analyze personal data for the purpose of generating knowledge or understanding of past events, patterns, or trends.

To lawfully process personal data for historical research purposes, organizations must ensure they have a lawful basis for the processing. This can include obtaining the explicit consent of the individuals, provided that obtaining such consent is feasible and does not undermine the research's objectives. Alternatively, organizations can rely on other legal bases available under the GDPR, such as processing necessary for the performance of a task carried out in the public interest or for legitimate interests pursued by the organization or a third party.

When processing personal data for historical research purposes, organizations have to comply with specific requirements and considerations. They must de-identify the personal data, using techniques such as anonymization or pseudonymization, to prevent the identification of individuals. Additionally, organizations need to apply security measures to protect the data from unauthorized access, loss, or destruction.

Furthermore, organizations should take into account the principles of data minimization and storage limitation, ensuring that only the necessary data is collected and retained for the research. It is recommended to conduct a data protection impact assessment (DPIA) to assess and mitigate any potential risks to individuals' rights and freedoms. This helps to ensure compliance with the GDPR's principles and requirements while carrying out historical research purposes.

Storage limitation

Storage limitation is an essential concept within the GDPR requirements relating to the processing of personal data. It mandates that organizations should not retain personal data for longer than necessary for the purpose it was originally collected. However, there are circumstances where data can be stored for public interest, scientific, historical, or statistical purposes.

To ensure compliance with the storage limitation principle, organizations need to establish a retention period for the personal data they hold. This means determining an appropriate timeframe for which the data will be stored before it is securely deleted or anonymized. The chosen retention period must be justified and based on the specific purpose for which the data was collected.

In addition to setting a retention period, organizations must implement appropriate technical and organizational measures to protect individuals' rights and freedoms. This includes ensuring that the personal data is securely stored and protected against unauthorized access, loss, or destruction. Measures should be in place to prevent data from being kept indefinitely or used for purposes other than those initially specified.

By adhering to the storage limitation principle, organizations demonstrate their commitment to data protection and privacy in accordance with the GDPR requirements. It is crucial for businesses to understand and comply with this principle to safeguard individuals' personal data and maintain their trust.

Key principles of GDPR

The General Data Protection Regulation (GDPR) sets out key principles that organizations must follow when processing personal data. These principles are outlined in Article 5 of the legislation and are crucial for ensuring the protection of individuals' privacy rights.

The first principle is lawfulness, fairness, and transparency. This means that organizations must have a lawful basis for processing personal data, inform individuals about how their data will be used, and ensure that the processing is fair.

The second principle is purpose limitation. Personal data should only be collected for specified, explicit, and legitimate purposes. It should not be further processed in a way that is incompatible with these purposes.

The third principle is data minimization. Organizations should only collect and retain personal data that is necessary for the intended purpose. They should avoid collecting excessive or unnecessary data.

The fourth principle is accuracy. Personal data must be accurate and kept up to date. Organizations should take reasonable steps to correct or erase inaccurate data.

The fifth principle is storage limitation. Personal data should be kept in a form that allows identification of individuals for no longer than is necessary for the intended purpose. It should be securely deleted or anonymized once the retention period is over.

The sixth principle is integrity and confidentiality (security). Organizations must implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or destruction.

The seventh and final principle is accountability. This is the only new principle under GDPR. Organizations are responsible for complying with the GDPR requirements and must be able to demonstrate their compliance. This includes documenting how personal data is handled, training staff on data protection measures, and promptly reporting data breaches to the appropriate authorities.

By adhering to these key principles, organizations can ensure that personal data is processed lawfully, transparently, and with the utmost respect for individuals' privacy rights.

Legal basis for processing personal data

Legal basis for processing personal data is one of the key requirements under the General Data Protection Regulation (GDPR). In order to collect, use, or disclose personal data, organizations must have a valid and lawful basis for doing so. This ensures that individuals' privacy rights are protected and that their data is not processed without their consent or a legitimate reason. The GDPR provides several legal bases for processing, including the necessity of processing for the performance of a contract, compliance with a legal obligation, protection of vital interests, consent, and legitimate interests pursued by the data controller or a third party. It is important for organizations to understand and properly determine the appropriate legal basis for their data processing activities to ensure compliance with the GDPR and maintain the trust and confidence of individuals.

Lawful basis for processing personal data

Lawful basis for processing personal data is a crucial aspect of the General Data Protection Regulation (GDPR). In order to process personal data in a lawful manner, organizations must meet specific criteria outlined by the GDPR.

Firstly, processing personal data must have a clearly defined lawful basis. This could include obtaining the explicit consent of the individual, fulfilling a contract, complying with a legal obligation, protecting vital interests, performing a task in the public interest, or pursuing legitimate interests. These criteria ensure that personal data is processed with a justified purpose.

Transparency is another essential principle under the GDPR. Organizations must provide individuals with concise, easily accessible, and clear information about their data processing activities. This includes informing individuals about the purposes of data processing, the lawful basis for processing, and any legitimate interests pursued by the organization.

By adhering to the principles of transparency and lawful basis, organizations can ensure that the processing of personal data is done in a fair and lawful manner. It not only builds trust with individuals but also helps organizations avoid potential legal complications and hefty fines.

Protection principles of GDPR

The protection principles of GDPR play a crucial role in ensuring data privacy and compliance with the requirements of the regulation. These principles provide guidelines and best practices for businesses to handle personal data responsibly and securely. Here are the 7 guiding principles of GDPR and how they contribute to data protection:

  1. Lawfulness, Fairness, and Transparency: This principle emphasizes the need for organizations to process personal data legally, fairly, and transparently. Businesses should have a clear lawful basis for processing data and provide individuals with easily accessible information about their data processing activities.
  2. Purpose Limitation: Organizations must collect and process personal data for specified and legitimate purposes. This principle discourages indiscriminate data collection and ensures that data is not used for purposes unrelated to the original intent.
  3. Data Minimization: Businesses should only collect and retain personal data that is necessary for the intended purpose. Unnecessary and irrelevant data should be avoided to minimize privacy risks and comply with GDPR.
  4. Accuracy: Personal data should be accurate and up-to-date. Organizations should take reasonable steps to rectify or erase inaccurate data promptly, ensuring that individuals are not adversely affected by incorrect information.
  5. Storage Limitation: Personal data should be kept in a form that enables identification of individuals for no longer than necessary. Businesses should establish data retention policies to delete or anonymize data when it is no longer needed.
  6. Integrity and Confidentiality: Organizations must implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Robust technical and organizational measures should be in place to safeguard data integrity and confidentiality.
  7. Accountability: This principle requires businesses to demonstrate compliance with GDPR by implementing appropriate policies, procedures, and documentation. Conducting data protection impact assessments, appointing a data protection officer, and maintaining records of processing activities are some best practices to ensure accountability.

By following these protection principles, businesses can enhance data privacy and compliance with GDPR requirements. It also helps build trust with individuals, protects against potential legal consequences, and promotes responsible data management practices.

General thought leadership and news

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

From Compliance to Cybersecurity: The 6clicks Ideal Customer Profile

In an era where digital threats loom larger by the day, the intersection of compliance and cybersecurity has never been more critical. For businesses...

AI Hype and GRC

Beyond the AI Hype: Crafting GRC Solutions That Truly Matter

In the relentless chase for innovation, it's easy to get caught in the dazzling allure of AI. Everywhere you turn, AI seems to be the silver bullet,...

Reflections from my time as Chief Digital Officer at KPMG

Reflections from my time as Chief Digital Officer at KPMG

Between 2016 and 2018 I held the role of Chief Digital Officer at KPMG, responsible for strategy and the development of software assets to underpin...

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

6clicks Partners with Microsoft to run 6clicks on Private Azure Clouds

Summary 6clicks, a cyber governance, risk, and compliance (GRC) platform, has partnered with Microsoft to offer a privately hosted option of its...

6clicks Fabric - Hosted on private Microsoft Azure clouds

Empowering enterprises: Get in control with your own GRC SaaS platform-in-a-box

In today's dynamic business landscape, enterprises are constantly seeking innovative solutions to streamline their operations, improve the value they...

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

6clicks Fabric for GSIs: Tailoring cybersecurity GRC programs for global markets

Robust cybersecurity measures and the effective and safe implementation of IT infrastructure are critical for organizations to successfully do...