GDPR Compliance: Complete Guide for 2026 (Articles 28, 32, 33, 34)
GDPR compliance guide for 2026: checklist, Articles 28/32/33/34 requirements, latest fines (€7.1B total), and how to demonstrate compliance as a data controller and processor.
GDPR Compliance: Complete Guide for 2026
Regulation (EU) 2016/679 has been enforceable since May 25, 2018. Total fines now exceed €7.1 billion — with €1.2 billion issued in 2025 alone. For B2B companies operating in the EU, GDPR compliance is not optional: it governs how you collect, process, store, and protect personal data of every EU and EEA resident your business touches.
This guide covers everything you need to know: who must comply, the 2026 compliance checklist, the critical obligations under Articles 28, 32, 33, and 34, what happens when you fail, and how to demonstrate compliance to customers and regulators.
Jump to:
- Who Must Comply with GDPR
- GDPR Compliance Checklist for 2026
- Article 32: Security of Processing
- Articles 33 and 34: Breach Notification
- Article 28: Data Processing Agreements
- GDPR Fines and Enforcement in 2025–2026
- GDPR Compliance Software
- ISMS and Trust Center: Two Sides of the Same Coin
What Is GDPR Compliance?
GDPR compliance means that your organization processes personal data of EU/EEA residents in accordance with Regulation (EU) 2016/679 — the General Data Protection Regulation. The regulation applies whenever personal data (any information relating to an identified or identifiable natural person) is collected, stored, used, or transferred.
Compliance has four pillars:
- Lawfulness: Every processing activity requires a legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests under Article 6)
- Transparency: Data subjects must know what data is collected, why, and for how long (Articles 12–14)
- Security: Appropriate technical and organizational measures protect personal data (Article 32)
- Accountability: Organizations must be able to demonstrate compliance at any time (Article 5(2))
For B2B SaaS and technology companies, compliance is particularly complex because most companies occupy two roles simultaneously: data controller (responsible for your own customer data) and data processor (handling data your customers entrust to your platform). Each role carries distinct obligations.
Who Must Comply with GDPR?
GDPR applies to any organization that:
- Is established in the EU or EEA, regardless of where the data is processed
- Is established outside the EU but offers goods or services to EU/EEA residents, or monitors the behavior of individuals in the EU (the "targeting criterion" under Article 3(2))
There is no minimum size threshold. A five-person SaaS startup with EU customers must comply. A US enterprise serving a single EU client must comply.
Specific obligations depend on your role:
| Role | Definition | Key obligations |
|---|---|---|
| Controller | Determines the purposes and means of processing | Legal basis, privacy notices, data subject rights, DPA with processors, DPIAs |
| Processor | Processes data on behalf of a controller | DPA with controller, security measures, breach notification to controller, sub-processor rules |
| Both | Most B2B SaaS companies | All of the above in each direction |
GDPR Compliance Checklist for 2026
Regulators in 2026 expect demonstrable, operational compliance — not just policies. Here is what needs to be in place:
1. Data Mapping and Records of Processing Activities (Article 30)
Maintain a complete inventory of every processing activity: what data is collected, from whom, for what purpose, on what legal basis, how long it is retained, and which processors receive it. Article 30 makes these records of processing activities (RoPAs) mandatory for most organizations.
2. Legal Basis for Every Processing Activity (Article 6)
Document the lawful basis for each processing activity before it begins. Consent must be freely given, specific, informed, and unambiguous — and withdrawable at any time. Legitimate interests require a balancing test. Processing without a documented lawful basis triggers the upper fine tier.
3. Privacy Notices (Articles 12–14)
Provide clear, plain-language privacy information to data subjects at the time of collection. The EDPB's 2026 coordinated enforcement action focuses specifically on Articles 12–14 transparency obligations, making this a priority for supervisory authorities across all EU member states this year.
4. Data Subject Rights Mechanisms (Articles 15–22)
Implement processes to respond to access requests (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21) within one month. The EDPB's 2025 coordinated action focused on the right to erasure — organizations without working deletion workflows were penalized.
5. Data Processing Agreements with All Processors (Article 28)
Every third-party vendor that processes personal data on your behalf requires a signed DPA. This includes cloud providers, analytics tools, CRM platforms, payment processors, and any subcontractors. See Article 28 requirements in detail below.
6. Technical and Organizational Security Measures (Article 32)
Implement encryption, pseudonymization, access control, multi-factor authentication, and regular security testing. Document these measures as Technical and Organizational Measures (TOMs). See Article 32 requirements below.
7. Data Protection Impact Assessments for High-Risk Processing (Article 35)
Conduct a DPIA before starting any processing "likely to result in a high risk" to individuals. High-risk categories include large-scale processing of sensitive data, systematic profiling, and new technologies. DPIAs must identify risks and document the mitigating measures adopted.
8. Data Protection Officer Appointment (Article 37)
Appoint a DPO if your core activities involve large-scale systematic monitoring of individuals or large-scale processing of special categories of data. Public authorities must always appoint a DPO.
9. Breach Detection and Notification Readiness (Articles 33–34)
Have a tested incident response process that can detect breaches quickly, assess their risk level, and notify the supervisory authority within 72 hours. See Articles 33–34 in detail below.
10. International Data Transfer Safeguards (Articles 44–49)
Personal data may only be transferred outside the EU/EEA to countries with an adequacy decision, or under appropriate safeguards (Standard Contractual Clauses, Binding Corporate Rules). Following the TikTok €530M fine in May 2025 for unlawful transfers to China, supervisory authorities are actively scrutinizing cross-border data flows.
Where an ISMS Contributes — and Where the GDPR Goes Further
A good ISMS (Information Security Management System) provides the structure for technical and organizational measures required by the GDPR. But the GDPR imposes two additional requirement layers that an ISMS as an internal governance system cannot address on its own:
- Operational breach notification obligations under Articles 33 and 34 — within tight external deadlines
- Binding obligations in the processor relationship under Article 28 — contractual, ongoing, and auditable
Article 32: Security of Processing
Article 32 requires "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk. Relevant measures include:
- Pseudonymization and encryption of personal data
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore availability and access to personal data in a timely manner following a physical or technical incident
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures
When assessing the appropriate level of security, organizations must take account of risks presented by processing — "in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."
An ISMS supports Article 32. However, Articles 28, 33, and 34 impose requirements with an interface character that an ISMS as an internal solution cannot address.
Articles 33 and 34: Personal Data Breach Notification
The GDPR introduces a two-tier notification regime for personal data breaches.
Notification to the Supervisory Authority (Article 33)
In case of a personal data breach, the controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where notification is not made within 72 hours, reasons for the delay must be provided.
Content of the notification under Article 33(3):
| Element | Description |
|---|---|
| Nature of the breach | Description of the nature of the breach, where possible including categories and approximate number of data subjects and records concerned |
| Contact details | Name and contact details of the data protection officer or other contact point |
| Likely consequences | Description of the likely consequences of the breach |
| Measures taken | Description of measures taken or proposed by the controller to address the breach and mitigate effects |
Article 33(4) explicitly allows for phased notification: Where information cannot be provided at the same time, it may be provided in phases without undue further delay.
Processor obligation: Under Article 33(2), the processor must notify the controller without undue delay after becoming aware of a breach. The GDPR does not specify a concrete deadline — however, EDPB guidelines recommend notification as quickly as possible to enable the controller to meet the 72-hour deadline.
Documentation obligation: Under Article 33(5), the controller must document all breaches — including the facts, effects, and remedial actions taken. This documentation must enable the supervisory authority to verify compliance. Daily breach notifications across the EU exceeded 400 per day in 2025 for the first time since the regulation came into force.
Communication to Data Subjects (Article 34)
When the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the affected data subjects without undue delay.
The communication must describe in clear and plain language the nature of the breach and at least include:
- Name and contact details of the data protection officer
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate effects
Exceptions to the communication obligation (Article 34(3)):
| Exception | Explanation |
|---|---|
| Technical protection measures | The controller has implemented appropriate measures (e.g., encryption) that render data unintelligible to unauthorized persons |
| Subsequent measures | Subsequent measures ensure that the high risk is no longer likely to materialize |
| Disproportionate effort | In this case, a public communication or similar measure is made instead |
The supervisory authority may, under Article 34(4), require the controller to communicate to data subjects if it considers that a high risk exists.
Article 28: Data Processing Agreements
The GDPR establishes binding requirements for working with processors.
Selection of Processors (Article 28(1))
The controller may only use processors that "provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject."
This wording establishes a due diligence obligation in selection — not only at contract signing but on an ongoing basis.
Contractual Requirements (Article 28(3))
Processing by a processor must be governed by a contract or other legal act that binds the processor to the controller.
Minimum contents of the data processing agreement:
| Requirement | Legal basis |
|---|---|
| Processing only on documented instructions from the controller | Art. 28(3)(a) |
| Confidentiality commitment by authorized personnel | Art. 28(3)(b) |
| Implementation of all measures required under Article 32 | Art. 28(3)(c) |
| Compliance with conditions for sub-processors | Art. 28(3)(d) |
| Assistance with data subject rights | Art. 28(3)(e) |
| Assistance with obligations under Articles 32–36 (security, notifications, impact assessments) | Art. 28(3)(f) |
| Deletion or return of data after contract termination | Art. 28(3)(g) |
| Making available all information to demonstrate compliance, enabling audits and inspections | Art. 28(3)(h) |
Sub-processing (Article 28(2) and (4))
The processor may not engage another processor without prior specific or general written authorization from the controller.
In case of general written authorization, the processor must inform the controller of any intended changes and give them the opportunity to object.
When another processor is engaged, the same data protection obligations must be imposed. The original processor remains liable to the controller for the sub-processor's compliance.
Demonstrating Compliance (Article 28(5))
Adherence to approved codes of conduct (Article 40) or an approved certification mechanism (Article 42) may be used as an element to demonstrate sufficient guarantees.
Why Due Diligence Is Not a One-Off Exercise
The GDPR speaks of selecting a suitable processor — but the controller's obligations do not end at contract signing:
- Article 28(3)(h) obligates the processor to make available all information necessary to demonstrate compliance and allow for audits and inspections
- Article 32(1)(d) requires a process for "regularly testing, assessing and evaluating" the effectiveness of measures
- Accountability under Article 5(2) requires the controller to be able to demonstrate compliance with data protection principles at any time
In practice, this means: An organization that engages a processor once and never checks again will struggle to demonstrate due diligence in case of damage. Initial due diligence becomes a recurring necessity.
Penalties (Article 83)
The GDPR provides for a two-tier penalty system:
| Violation | Fine | Legal basis |
|---|---|---|
| Obligations of controllers and processors (Art. 8, 11, 25–39, 42, 43) | Up to EUR 10 million or 2% annual turnover | Art. 83(4) |
| Processing principles, data subject rights, transfers to third countries (Art. 5–7, 9, 12–22, 44–49) | Up to EUR 20 million or 4% annual turnover | Art. 83(5) |
| Non-compliance with an order by the supervisory authority | Up to EUR 20 million or 4% annual turnover | Art. 83(6) |
The higher amount applies in each case.
Relevance for data processing and breach notification:
- Violations of Article 28 (processing) and Article 32 (security) fall under the lower tier (up to EUR 10 million / 2%)
- Violations of Article 33 (notification to authority) and Article 34 (communication to data subjects) also fall under the lower tier
- However, failure to notify may additionally be considered a violation of Article 5 (accountability) — which can trigger the upper tier
When setting fines, Article 83(2) requires consideration of, among other factors: the nature, gravity, and duration of the infringement; intentional or negligent character; measures taken to mitigate damage; previous infringements; and cooperation with the supervisory authority.
GDPR Fines and Enforcement in 2025–2026
GDPR enforcement has accelerated sharply. Total fines since May 2018 now exceed €7 billion, with 2025 generating over €1.1 billion in penalties (374 individual fines) — and daily breach notifications exceeding 400 for the first time.
Major Enforcement Actions in 2025
TikTok — €530 million (May 2025) Ireland's Data Protection Commission fined TikTok €530 million for illegally transferring European Economic Area user data to servers in China, in violation of Chapter V transfer rules. Engineers in China were routinely able to access sensitive information belonging to EU residents, and TikTok failed to carry out adequate risk assessments regarding Chinese state surveillance laws.
Meta — €479 million (2025) A Madrid court found Meta had unlawfully processed user data, giving it an unfair advantage in the online advertising market and benefiting 87 Spanish media companies' legal claims.
Vodafone Germany — €45 million (2025) Germany's Federal Commissioner for Data Protection (BfDI) issued two fines: €15 million for poor internal data protection controls and €30 million for security flaws in handling customer data through customer portals and hotlines.
Capita plc (UK) — £14 million The UK Information Commissioner's Office fined Capita £14 million following a cyber-attack that exposed the personal data of 6.6 million people.
2026 Enforcement Priority: Transparency (Articles 12–14)
Following the EDPB's 2025 coordinated enforcement action on the right to erasure (Article 17), the EDPB announced on 14 October 2025 that the 2026 coordinated enforcement action will focus on transparency and information obligations under Articles 12 to 14 GDPR. Organizations without clear, complete, and accessible privacy notices face heightened supervisory scrutiny in 2026.
Enforcement is no longer reactive. Regulators are proactively auditing organizations, particularly for dark patterns in consent UIs, unlawful cross-border transfers, and inadequate breach notification procedures.
GDPR Compliance Software: What to Look For
The complexity of GDPR compliance — spanning data mapping, consent management, DPA tracking, breach notification, and continuous evidence collection — has created a mature market for compliance software. Key capabilities to evaluate:
| Capability | Why it matters |
|---|---|
| Data mapping / RoPA automation | Maintaining Article 30 records manually is error-prone at scale |
| DPA and subprocessor management | Article 28 requires monitoring processors continuously, not once |
| Consent management | Consent logs must be auditable; cookie flows must not use dark patterns |
| Breach response workflows | 72-hour deadline requires pre-built notification templates and escalation paths |
| Continuous evidence collection | Article 5(2) accountability requires always-available proof, not point-in-time snapshots |
| Data subject rights management | DSAR workflows must respond within one month |
| Cross-border transfer tracking | Post-TikTok enforcement, transfer impact assessments need regular review |
The leading platforms serve different segments: OneTrust and TrustArc for large enterprise privacy operations; Sprinto and Drata for continuous compliance automation; specialist tools for consent management (Cookiebot, Usercentrics). Orbiq's Trust Center addresses the specific challenge of demonstrating GDPR compliance externally — to customers, prospects, and auditors — through a centralized, always-current documentation hub.
ISMS and Trust Center: Two Sides of the Same Coin
GDPR requirements cannot be met with a single system. Governance requires structure — an ISMS is indispensable for this. However, Articles 28, 33, and 34 additionally require operational capabilities:
- Breach notification within 72 hours — to supervisory authorities and, where applicable, data subjects
- Documentation of all breaches — including those not subject to notification
- Structured assessment and monitoring of processors
- Demonstrable due diligence in selecting and continuously monitoring service providers
The Two Directions of a Trust Center
A Trust Center not only supports inbound assessment of your own service providers — it also solves a practical problem on the outbound side: Organizations acting as processors must provide their customers with the information required under Article 28(3)(h).
In practice, this means: Every potential or existing customer can — and will — request evidence. A Trust Center consolidates this documentation in one professional location:
| Document | Purpose | GDPR Reference |
|---|---|---|
| Data Processing Agreement (DPA) | Standard contract for signature | Art. 28(3) |
| Technical and Organizational Measures (TOMs) | Evidence of security measures | Art. 32 |
| List of Sub-processors | Transparency about sub-processors | Art. 28(2) |
| Certifications (ISO 27001, SOC 2) | Evidence of sufficient guarantees | Art. 28(5), Art. 42 |
| Audit reports and penetration test summaries | Independent assessment of measures | Art. 28(3)(h) |
| Security policies | Documentation of internal processes | Art. 32 |
| Records of processing activities | Overview of data processing | Art. 30 |
| Data Protection Impact Assessments (where applicable) | Risk assessment for critical processing | Art. 35 |
Without a Trust Center, this communication runs through email, individual requests, and manual processes — time-consuming, error-prone, and difficult to scale. With a Trust Center, reactive document searches become proactive demonstration of compliance.
The Dual Perspective
Many organizations are simultaneously controllers (vis-a-vis data subjects) and processors (vis-a-vis their customers). A Trust Center addresses both roles:
As a Controller (Inbound):
- Assessment and monitoring of your own processors
- Collection and maintenance of DPAs, TOMs, and certificates from service providers
- Documentation of due diligence in selection
As a Processor (Outbound):
- Provision of all evidence to customers in one place
- Scalable response to security questionnaires and audits
- Proactive transparency instead of reactive document searches
Organizations that connect both worlds are well-positioned: An ISMS for internal governance, a Trust Center for external communication — in both directions. This transforms compliance effort into a functioning system and documentation into true resilience. See also our guide on continuous monitoring for how to maintain always-current compliance evidence.
Sources & References
- Regulation (EU) 2016/679 (GDPR) – Full Text — Official Journal of the European Union. The complete text of the General Data Protection Regulation.
- GDPR Enforcement Tracker — CMS Law. Running total of GDPR fines issued across EU member states.
- DLA Piper GDPR Fines and Data Breach Survey: January 2026 — Annual survey of GDPR enforcement trends and fine volumes.
- EDPB 2026 Coordinated Enforcement Action Announcement — EDPB announcement (14 October 2025) of focus on Articles 12–14 transparency obligations for 2026.
- gdpr-info.eu – Article 28 (Processor) — Requirements for data processing agreements.
- gdpr-info.eu – Article 32 (Security of Processing) — Technical and organizational measures.
- gdpr-info.eu – Article 33 (Notification to Supervisory Authority) — 72-hour deadline for data breaches.
- gdpr-info.eu – Article 34 (Communication to Data Subject) — Communication in high-risk cases.
- gdpr-info.eu – Article 83 (General conditions for imposing administrative fines) — Penalty framework.
- EDPB – Guidelines 9/2022 on personal data breach notification — Guidelines on personal data breach notification (Version 2.0, March 2023).
- TikTok €530M fine — Ireland DPC (May 2025) — Ireland DPC enforcement action for unlawful data transfers to China.
- Surfshark Research: GDPR fines exceeded €1B in 2025 — Annual analysis of GDPR enforcement volume.