Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

GDPR Data Collection Requirements

Published September 2, 2022 / Updated November 21, 2023

The General Data Protection Regulation or GDPR, is known as one of the most extensive privacy laws in the world. This law covers the entirety of the EU and any organization doing business with these countries. The major aspect of this law is to protect the consumers rights to privacy, which means that any organization in the world collecting personal information of residents from the EU needs to abide by GDPR requirements.

Data Collection Requirements under GDPR

According to the GDPR, certain information may be collected and stored as long as the users remain completely anonymous. You may not store data in such a way that the users can be tracked. Data must be held for the shortest amount of time possible. The GDPR requires organizations to collect personal data only on a lawful basis. Article 6 of the GDPR provides the following 6 lawful basis:

Consent: where the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract: where processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with legal obligation: where the processing is necessary for compliance with a legal obligation to which the controller is subject.
Vital interests: where the processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Public interest: where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Legitimate interests: where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In addition to the above lawful bases, organizations must be mindful of key data collection and processing principles. Article 5 of the GDPR provides the following key data protection principles:

Lawfulness, fairness and transparency: this principle requires organizations to collect and process data lawfully, fairly, and in a transparent manner.
Purpose limitation: this principle requires organizations to collect and process data only for specified, explicit, and legitimate purposes.
Data minimization: this principle requires organizations to collect data only that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Accuracy: this principle requires organizations to keep the data accurate. In case data is inaccurate, organizations need to either erase the data or have it rectified.
Storage limitation: Once data has served its purpose, it should be removed from the organizations’ servers in order to save space and avoid any compliance issues. Data cannot be stored for longer than is necessary for the purposes for which it is processed.
Integrity and confidentiality: this principle requires organizations to ensure that personal data is protected against unauthorized or unlawful processing or security incidents and it has appropriate security controls at all times.
Accountability: this principle holds organizations responsible for the protection of personal data. Organizations must be able to demonstrate compliance with the applicable legal requirements.

What Organizations Need to Record

Under Article 30 of the GDPR, organizations are required to keep written records of data processing activities. These records should consist of the following items:

Contact details of all controllers, processors, and DPOs
Methods by which information is gathered
Categories of information collected
Categories of data subjects
Categories of recipients of this information
Purpose of data collection
Use of data
Specific groups affected by this data-gathering
Transfer information to third countries, including third country or international organization
Estimation of how long the data will be retained or data retention periods
Security measures undertaken to protect subjects' personal data

Touchpoints of GDPR Collection

When collecting an individual's data, there are several things an organization needs to make sure of in order to stay compliant with the GDPR. There are a number of ways that an organization can obtain an individual's data (These are known as touchpoints).

A few examples of touchpoints include:

Emails
Social media channels
Live chat applications
Reverse IP lookup
Cookies on the company’s website

In order to make sure that data collected via afore-mentioned touchpoints is in line with the requirements of the GDPR, organizations must ensure the following:

Processing of personal data only on lawful grounds.
Appropriate security controls to prevent data losses or security incidents.
Adequate fulfillment and timely responses to data subjects’ requests.
Adequate fulfillment of breach notification requirements.
Regular Privacy Impact Assessments and Data Protection Impact Assessments to mitigate any potential privacy risks in data processing activities.
Adequate consent management processes and records of data subjects’ consent for consent-based data processing.
Updated and comprehensive records of data processing activities (RoPA).

Conclusion

Collecting data is the first step an organization takes, which opens up privacy concerns for organizations. In order to remain compliant with privacy regulations, organizations need an all-in-one tool that can help them lawfully collect data and in turn stay in compliance with privacy regulations.

Securiti’s sensitive data intelligence solution allows organizations to honor all GDPR principles and requirements before collecting a consumer's data. It also allows organizations to protect this collected data and only use it for its intended purpose.

Under GDPR, data collection must be done lawfully and transparently. This typically involves obtaining explicit consent from data subjects or relying on other lawful bases for data processing, such as legitimate interests or legal obligations.

GDPR allows the collection of personal data, which includes any information that can directly or indirectly identify an individual, such as names, email addresses, IP addresses, and more. Special categories of sensitive data, such as health or biometric data, have additional requirements.

GDPR does not prevent data collection but places strict requirements on how data is collected and processed to protect the privacy and rights of data subjects.

Data collection must follow GDPR’s principles, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.

Authored by Anas Baig

Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.

Data Collection Requirements under GDPR

What Organizations Need to Record

Touchpoints of GDPR Collection

Conclusion

Frequently Asked Questions (FAQs)

Bedrock of your Privacy & Security

Authored by Anas Baig

Newsletter

Company

Resources

Terms

Get in touch

GDPR Data Collection Requirements

Data Collection Requirements under GDPR

What Organizations Need to Record

Touchpoints of GDPR Collection

Conclusion

Frequently Asked Questions (FAQs)

Bedrock of your Privacy & Security

Schedule a LIVE One-on-One Demo

Authored by Anas Baig

Join Our Newsletter

Share

More Stories that May Interest You

Email Marketing Requirements under GDPR and e-Privacy Directive

What is Proof of Consent under GDPR?

Data Discovery for GDPR: Ensuring Personal Data Compliance

Newsletter

Company

Resources

Terms

Get in touch