GDPR Requirements

Summary and history of the GDPR

GDPR was designed to replace the outdated 1995 EU Data Protection Directive. With the explosion of digital services, social media, and cross-border data flows, the old directive no longer offered sufficient protection.

Key milestones

• 1995 - EU Data Protection Directive established.
• 2012 - First proposal for GDPR reform introduced.
• 2016 - GDPR adopted by the European Parliament.
• May 25, 2018 - GDPR officially enforced.

The regulation represented a major step toward harmonizing data protection across all EU member states and strengthening individuals' rights in the digital age.

The challenge of complying with GDPR requirements

When the European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018, it marked the most significant change to global data protection law in decades. Organizations everywhere were suddenly required to re-examine how they handle, protect, and manage personal data.

Any company that processes the personal data of EU residents—regardless of its physical location—must comply with GDPR. The regulation grants EU residents new rights over their data: the right to know how it’s used, the right to have it deleted, and the right to give or withdraw consent. Companies are also required to respond to data subject requests within one month.

As organizations adapt to this reality, one area remains particularly complex: email management. With email still the backbone of business communication—and the number one attack vector for cybercriminals—organizations need reliable, scalable solutions to ensure GDPR compliance without overwhelming IT teams.

Key principles of GDPR

The General Data Protection Regulation (GDPR) is underpinned by seven fundamental principles that shape how personal data must be collected, managed, and protected. These principles serve as the framework for compliance and help organizations build trust with customers, employees, and regulators.

Lawfulness, fairness, and transparency

At the heart of GDPR is the expectation that organizations process data in ways that are lawful and fair. This requires companies to be transparent about how they collect, use, and share personal information. Individuals must be informed in clear, straightforward language about why their data is being processed and how it will be safeguarded.

Purpose limitation

Personal data may only be collected for specified, legitimate purposes. Once collected, it cannot be processed in ways that extend beyond those original purposes. This prevents organizations from reusing data inappropriately or for undisclosed objectives, reinforcing respect for individual privacy.

Data minimization

Organizations are expected to collect and retain only the data necessary to achieve the stated purpose. This principle discourages the accumulation of unnecessary personal information and limits exposure if a breach occurs. By minimizing data collection, organizations reduce compliance risks and strengthen data security.

Accuracy

GDPR emphasizes that personal data must be accurate and kept up to date. Organizations are required to establish processes that correct inaccuracies quickly and prevent outdated information from being stored. This protects individuals from the potential harm caused by incorrect or misleading data.

Storage limitation

Data should not be stored longer than necessary. Organizations must implement retention schedules that define when data will be deleted or anonymized. Storage limitation prevents the long-term buildup of personal information, which can create both compliance risks and unnecessary data management costs.

Integrity and confidentiality

Personal data must be processed securely to prevent unauthorized access, alteration, or loss. This principle encompasses both technical safeguards, such as encryption, and organizational measures, such as access controls and monitoring. Protecting the confidentiality and integrity of data is critical for compliance as well as for maintaining trust with stakeholders.

Accountability

Finally, GDPR requires organizations to take responsibility for their data practices. Accountability means being able to demonstrate compliance with all principles through documentation, audits, and proactive risk management. It reinforces the idea that compliance is not just a legal requirement but also a commitment to responsible data stewardship.

Mimecast’s suite of email archiving, continuity, and security solutions directly supports these GDPR principles. By offering tamper-proof storage, advanced search, and automated policy enforcement, Mimecast helps organizations maintain accuracy, integrity, confidentiality, and accountability for email data—one of the most critical and heavily regulated forms of business communication.

Scope, penalties and key definitions

Scope

GDPR applies to:

• All organizatitons operating withing the EU.
• Non-EU organizations that process personal data of EU residents.

This extraterritorial scope means GDPR has become a global benchmark for data protection.

Penalties

The regulation enforces two tiers of fines:

• Up to €10 million or 2% of global annual turnover for lesser infringements (e.g., poor recordkeeping).
• Up to €20 million or 4% of global annual turnover for severe violations (e.g., failing to obtain consent, mishandling sensitive data, or ignoring data subject rights).

Key definitions

• Personal data - any information relating to an identifiable person (e.g., name, email address, IP address).
• Data controller - the entity that determines how and why personal data is processed.
• Data processor - the entity that processes personal data on behalf of a controller.
• Data subject - the individual whose personal data is being collected or processed.

GDPR compliance requirements explained

To comply with GDPR, organizations must:

• Obtain clear consent before collecting or processing data.
• Provide individuals with access to their data upon request.
• Allow individuals to request corrections or deletion of their data.
• Implement measures to protect personal data, including encryption and access controls.
• Report data breaches within 72 hours of discovery.
• Maintain detailed records of processing activities.
• Conduct data protection impact assessments (DPIAs) where high risks are identified.
• Appoint a Data Protection Officer (DPO) when required.

These requirements demand both policy changes and technical solutions—making SaaS platforms like Mimecast critical to compliance.

GDPR Compliance Checklist

Meeting GDPR obligations requires organizations to address multiple dimensions of data protection. Instead of a simple list, the following framework highlights the areas that IT teams, compliance officers, and business leaders must prioritize.

Data discovery and mapping

The first step in compliance is understanding the scope of personal data held by the organization. Businesses must identify what personal data is collected, where it is stored, and how it is processed across systems. Mapping data flows—both internal and external—creates the foundation for managing risk and demonstrating compliance to regulators.

Consent tand retention practices

GDPR places a strong emphasis on consent. Organizations need to implement clear, opt-in consent mechanisms that are easy to understand and withdraw. Alongside consent, retention policies must be defined to ensure personal data is only stored for as long as necessary. Establishing timeframes for deletion not only complies with the regulation but also reduces exposure in the event of a breach.

Security and access controls

Robust security measures are essential to GDPR readiness. Encryption, backup strategies, and secure storage protect personal data from unauthorized access or loss. Just as important is granting data subjects the ability to access their information easily. Organizations must have systems in place to respond promptly to subject access requests and provide individuals with copies of their personal data upon demand.

Rights of individuals and incident response

GDPR gives individuals the right to request erasure of their data. Companies must establish reliable processes for handling these requests and removing data across archives and live systems. At the same time, an incident response plan is critical. Organizations are obligated to detect, investigate, and report breaches within 72 hours, which requires both preparation and defined communication procedures.

Risk assessments and training

High-risk processing activities demand additional scrutiny. Conducting Data Protection Impact Assessments (DPIAs) helps organizations evaluate potential risks and take steps to mitigate them before harm occurs. Complementing this, regular employee training ensures staff understand their responsibilities under GDPR. Awareness programs reinforce a culture of compliance and reduce the likelihood of accidental violations.

Vendor and third-party management

Compliance does not end within the organization. Many businesses rely on third-party processors, and GDPR requires that these partners meet the same standards of protection. Vendor management programs should include contractual Data Processing Agreements (DPAs) and regular checks to validate compliance. This ensures accountability extends across the entire data ecosystem.

By approaching GDPR readiness through these interconnected areas, organizations can build a strong compliance posture. With solutions such as Mimecast’s secure email archiving, advanced threat protection, and automated e-discovery tools, IT teams gain the support they need to implement these practices efficiently and consistently.

GDPR forms and templates

To manage compliance efficiently, organizations should prepare standardized forms and templates in line with the gdpr regulation and guidance from the european commission, and maintain them as part of sound data governance such as:

• Consent forms - explicitly outlining what data is collected and why, referencing the relevant gdpr article and the lawful purposes of data processing.
• Data Subject Access Request (DSAR) forms - allowing individuals to request access to their data.
• Data breach notification templates - ensuring timely communication to authorities and affected individuals (a core gdpr requirement).
• Data processing agreements (DPAs) - formal contracts between the data controller and processors that define responsibilities for each data processing activity.

Maintain a lightweight GDPR compliance checklist to confirm each form/template includes required fields and contacts. Mimecast supports these processes with compliance-ready reporting and e-discovery tools, simplifying the management of DSARs and audit preparation to help teams stay gdpr compliant while reinforcing data security.

Data protection and working remotely

Remote work has increased data protection challenges:

• Unsecured networks: employees working from home may connect via insecure Wi-Fi.
• Shadow IT: use of unsanctioned apps can bypass compliance policies.
• Device management: personal devices may lack encryption or up-to-date security patches and data security controls.

GDPR compliance requires organizations to extend security controls to remote environments. Mimecast helps by providing:

• Secure, cloud-based email access from any location, backed by strong cloud security.
• Advanced threat protection against phishing attacks that often target remote workers.
• Centralized archiving to enforce retention policies regardless of where employees work.

Why proactive GDPR compliance matters

GDPR has transformed the global data protection landscape. Its emphasis on transparency, accountability, and individual rights requires organizations to rethink how they handle personal information—particularly in email, where sensitive data is constantly exchanged.

Compliance is not optional. Organizations face financial, operational, and reputational consequences if they fall short (including heightened data breach risk). But with the right strategy and technology, GDPR compliance can be achieved more easily, reducing administrative burden while strengthening customer trust.

Mimecast provides organizations with the advanced email security, archiving, and continuity tools needed to meet GDPR obligations efficiently. From defending against cyber threats to simplifying data subject requests, Mimecast enables IT teams to maintain compliance while focusing on business growth.

For companies seeking a proven, trusted partner in GDPR compliance, Mimecast offers impact from day one - and ongoing protection for the future.