By clicking on “Accept all cookies”, you agree that cookies may be stored on your device in order to improve site navigation, to analyze the use of the site and to contribute to our marketing efforts. Check out our privacy policy for more information.

Preferences
RefuseAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
icone fleche gauche
Return
Compliance

RGPD: master your 5 compliance obligations

Discover your GDPR compliance obligations in 2026 to protect your data. Anticipate risks and avoid sanctions.

GDPR: corporate obligations in 2026

The GDPR (General Data Protection Regulation) regulates the collection and use of personal data throughout the European Union.
Since its entry into force in 2018, it has imposed new obligations on companies in terms of data governance, IT security and transparency towards users.

In 2026, GDPR compliance is no longer just a legal requirement: it is a strategic cybersecurity and risk management issue. Organizations need to be able to demonstrate compliance at all times and effectively protect the data they process.

In this comprehensive guide, discover what the GDPR is, what are the obligations of businesses and how to implement a sustainable compliance process.

Whether you are RSSI, DPO or Risk Manager, understanding the requirements of the GDPR is essential to limit the legal, financial and reputational risks associated with the management of personal data.

What is the RGPD?

The GDPR (General Data Protection Regulation) is a European regulation that regulates the collection, processing and protection of personal data of citizens of the European Union.

Entered into force on May 25, 2018, it aims to strengthen the rights of individuals and to empower organizations that process their data.

The GDPR applies to any organization, company, administration or association, which processes personal data of European residents, even if the organization is located outside the European Union.

The major changes in the GDPR since 2018

Since its adoption, the RGPD has evolved at the pace of digital practices, case law and the recommendations of supervisory authorities such as the CNIL.

Here are the main steps to remember:

2016 : Official adoption of the RGPD by the European Union (EU Regulation 2016/679).

May 25, 2018 : Entry into force of the RGPD across the EU. Start of controls and effective sanctions.

2020 : Reinforcement of transparency requirements on cookies and trackers via CNIL guidelines.

2021 : Strengthened application in the field of teleworking and cybersecurity, marked by the COVID-19 pandemic.

2022—23 : Multiplication of record sanctions and public notices aimed at large companies and digital platforms. Emergence of new requirements on the management of subcontractors (article 28) and the documentation of procedures.

2024 : Generalization of the approach Privacy by Designin business software, Intelligence Aartificial and cloud tools, obligation to integrate data protection as early as the design of digital tools.

2025 : Emphasis on GDPR compliance in the context of cybersecurity (NIS 2 regulations, DORA...), harmonization with other European texts. New entry into force of European data regulation (Data Act).

2026 : Authorities now expect companies to be truly mature in managing their compliance and the ability to demonstrate their data protection systems.

This evolution reinforces the importance of structured data governance and the ongoing management of treatment risks.

Definition and fundamental principles of the GDPR

The RGPD is based on several principles that govern the processing of personal data.

  1. Legality, loyalty and transparency : data processing must be based on a clear legal basis (consent, contract, legal obligation, etc.) and be transparent for the persons concerned.
  2. Limitation of purposes: data must be collected for specific, explicit and legitimate purposes. They cannot be processed further for incompatible purposes.
  3. Minimization data: only data that is strictly necessary for the purpose pursued must be collected and processed. It is the principle of “Privacy by Design”, where privacy is designed from the start.
  4. Accuracy : personal data must be accurate and kept up to date. Steps should be taken to rectify or remove inaccurate data.
  5. Limitation ofthe retention : data should not be kept longer than necessary for the purposes for which they are processed. Clear shelf life should be defined.
  6. Integrity and confidentiality : organizations must guarantee the security of personal data through appropriate technical and organizational measures to protect themselves against accidental loss, destruction or damage.
  7. Accountability : the body responsible for processing must be able to demonstrate compliance at any time. This requirement includes maintaining complete documentation (records, policies, etc.).

These principles form the basis of any GDPR compliance approach.

What are the obligations of the GDPR for businesses?

To comply with the GDPR, organizations must put in place several organizational and technical measures aimed at overseeing treatment documentation, risk management and data security.

In 2026, supervisory authorities expect companies to provide structured and documented compliance.

The main obligations are as follows.

Maintain a record of treatment activities

It is the central document of your cyber GRC. The register of processing activities should list all the processing of personal data carried out by your organization. For each treatment, it must specify:

  • The purpose of treatment (customer management, payroll, recruitment...).
  • The categories of persons concerned (customers, employees, prospects).
  • The categories of personal data collected (name, email, IP address...).
  • Les recipients data (subcontractors, partners).
  • Les durations of conservation.
  • Les metrics of security put in place. This register is not a static document. It should be updated in real time to reflect any new collections or changes to a treatment. It is an essential management tool and the first document requested in the event of an audit by the CNIL. A good cybersecurity governance, risk and compliance (GRC) starts with a clear mapping of its treatments.

Conduct a data protection impact assessment (AIPD)

A data protection impact assessment (AIPD) is mandatory when a treatment poses a high risk to the rights and freedoms of individuals.

This is particularly the case for:

  • Systematic surveillance on a large scale of an area accessible to the public.
  • La collection and processing of sensitive data (health, political opinions) on a large scale.
  • The intersection of important databases.

The AIPD is an approach ofrisk analysis specific to the RGPD. It makes it possible to identify the risks associated with treatment and to define the measures to reduce them.

Carrying out an impact analysis can quickly become complex when data processing multiplies. Organizations must be able to identify risks, document their analyses, and monitor their action plans over time.

Specialized platforms like Egerie make it possible to automate the mapping of treatments, to pilot risk analyses and to structure GDPR compliance within the company's cyber governance.

Discover how the Egerie platform can help you manage your GDPR compliance. Request a demo now.

Ensuring the security of personal data

Data protection requires robust security measures. The RGPD (article 32) imposes a security obligation adapted to the risks. These measures must be both technical and organizational:

  • Organizational measures : security policies, incident management, employee training, compliance audits regular.

Supervise relationships with subcontractors

When a company entrusts the processing of personal data to a service provider (host, SaaS publisher, marketing agency, etc.), this service provider is considered to be a subcontractor within the meaning of the GDPR.

She remains responsible for the treatment. It is therefore mandatory to sign a subcontracting contract (or an amendment to the existing contract) that meets the requirements of article 28 of the GDPR.

A contract in accordance with article 28 of the RGPD must frame this relationship and specify:

  • The obligations of the subcontractor
  • security measures
  • the conditions for using other service providers

La management of risks associated with third parties has become a major challenge in data governance.

What are people's rights?

The GDPR has significantly strengthened individuals' rights over their data. Your organization should be ready to respond to their requests in a timely manner.

The right to information for the persons concerned

Transparency is a fundamental obligation. Anyone whose data you collect should be provided with information that is clear, concise, and accessible. This information must be provided at the time of collection.

It generally includes:

  • The identity and contact details of the data controller (your company) and of the DPO if there is one.
  • The purposes of the treatment and the legal basis.
  • Data recipients.
  • The shelf life.
  • A reminder of their rights (access, correction, etc.).
  • The right to file a complaint with the CNIL. This information is typically found in your website's privacy policy, on your collection forms, or in contracts with your customers.

The rights of access, rectification and to be forgotten

The persons concerned have several rights that they can exercise at any time:

  • Right of access (Article 15) : the right to know if data concerning them is being processed and to obtain a copy.
  • Right to rectification (Article 16) : The right to request the correction of inaccurate or incomplete data.
  • Right to erasure or “right to be forgotten” (Article 17) : the right to request the deletion of their data in certain cases (for example, if the data is no longer necessary, if consent is withdrawn...).
  • Right to limitation of processing (Article 18) : the right to temporarily suspend the use of data.
  • Right to portability (Article 20) : The right to receive your data in a structured format and to transmit them to another data controller.
  • Right to object (Article 21) : the right to oppose certain treatments, in particular for commercial prospecting purposes. Your business should put in place internal procedures to receive, analyze, and respond to these requests within one month (extendable by two months for complex requests).

What to do in the event of a data breach

A data breach is any incident that results in the destruction, loss, alteration, or unauthorized access to personal data.

In the event of an incident, the GDPR imposes two obligations:

  1. Notification to the CNIL: any violation presenting a risk to the rights and freedoms of individuals must be reported to the CNIL within 72 hours of its discovery.

  2. Information for the persons concerned : If the violation creates a high risk, those affected must also be notified as soon as possible. Good preparation is crucial. It goes through a business continuity plan (PCA) And a disaster recovery plan (PRA) which include a data breach management component.

Anticipating this type of scenario requires a clear vision of information assets and associated risks. In particular, cyber governance platforms make it possible to map data processing, identify the potential impacts of an incident and structure the response to a data breach.

What are the sanctions in case of non-compliance with the GDPR?

Eight years after the implementation of the GDPR in France, leniency is no longer appropriate. Supervisory authorities are becoming more demanding and financial penalties can be very severe.

La CNIL (Commission Nationale de l'Informatique et des Libertés) is the supervisory authority in France. It has broad powers of investigation (inspection on site, online, hearing) and of sanctions. In case of non-compliance with the RGPD, the sanctions may be:

  • A reminder to order.
  • A demand to comply.
  • A temporary or permanent limitation or suspension of treatment.
  • Administrative fines of up to 20 million euros or 4% of the annual worldwide turnover of the previous financial year, whichever is greater. Sanctions are public and can have a devastating impact on customer reputation and trust.

The strategic role of the DPO

The Data Protection Officer (DPO) is the conductor of GDPR compliance within an organization. Its designation is mandatory for public bodies and for companies whose core activities require regular and systematic monitoring of individuals on a large scale or process sensitive data. Even though it is not mandatory, appointing a DPO is highly recommended. Its missions are multiple:

  • Informing and advising management and employees.
  • Check compliance with the regulations.
  • Manage AIPDs.
  • To be the point of contact with the CNIL and the persons concerned.

The DPO thus plays a central role in integrating data protection into corporate governance and its cybersecurity strategy.

To effectively manage these approaches, mapping treatments, impact analyses and risk monitoring, many organizations now rely on specialized cyber governance platforms.

Find out how The Egerie platform can help you structure and manage your GDPR compliance.

FAQ about the GDPR in 2026

This section answers frequently asked questions about the GDPR and its practical application for businesses.

Does the GDPR apply to small businesses (VSEs/SMEs)?

Yes, absolutely. The GDPR applies to any organization that processes personal data, regardless of size. The obligations are the same for a small company as for a large group. However, the CNIL offers specific tools and guides to help small structures. The obligation to keep a record of treatments, for example, does not apply to companies with less than 250 employees, unless the processing is risky, is not occasional or involves sensitive data. In practice, most businesses are concerned.

What is the difference between personal data and sensitive data?

One personal data is any information relating to an identified or identifiable natural person (name, email, IP address, telephone number...). One sensitive data is a particular category of personal data whose processing is in principle prohibited, with some exceptions. They reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, religious or philosophical beliefs, trade union membership, as well as genetic, biometric data, data concerning health or sexual life. Their treatment requires even stronger security guarantees.

How long can customer data be kept?

There is no single length of time. The retention period must be determined according to the purpose for which the data was collected. For example, the data necessary for the management of the commercial relationship (contracts, orders, invoices) can be kept for the duration of the relationship, then archived for the duration of the legal requirement (generally 5 years). Data from prospects who do not respond to any solicitation must be deleted after a reasonable period of time (the CNIL recommends 3 years). Each duration must be justified and documented in your register.

Is consent always required to collect data?

No Consent is one of the six legal bases provided for by the GDPR, but it is not the only one. Treatment may be lawful if it is necessary to:

  • The execution of a contract (e.g.: processing the address to deliver a product).
  • Compliance with a legal obligation (e.g. keeping invoices).
  • Safeguarding the vital interests of a person.
  • The execution of a mission in the public interest.
  • The pursuit of a legitimate interest of the company (e.g. the fight against fraud), provided that this does not affect the rights and freedoms of individuals. Choosing the legal basis is an important decision that must be documented for each treatment.

Learn how Egerie helps you manage ISO, NIS2, DORA, PART-IS,...

One of our experts will give you a personalized demonstration of the Egerie platform, so that it meets your objective of complying with DORA as quickly as possible.

Articles

You will love these other items

eIDAS 2: the guide to comply with this European regulation
eIDAS 2 Regulation: its impact on your data governance, the security of your transactions and how Egerie helps you comply
Compliance
Discover
COBIT framework: definition, principles and implementation for effective IT governance
Learn how the COBIT framework strengthens IT governance, risk management, and compliance in an integrated GRC approach.
Governance
Discover
Cyber Kill Chain: Understanding, Anticipating, and Countering Cyberattacks
Discover the 7 steps of the Cyber Kill Chain and how this model helps to anticipate, counter and govern cyberattacks in a GRC approach.
Cyber Risk Management
Discover
icone fleche gauche
icone fleche droite
Discover our platform

Book a demo now to learn how Egerie can help you and your team.

Request a demo