What is the primary objective of GDPR?

The primary objective of GDPR is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, while ensuring the free movement of personal data within the EU. Enacted as Regulation (EU) 2016/679 and enforceable since May 25, 2018, it replaces the fragmented 1995 Data Protection Directive by establishing uniform rules directly applicable across all EU member states. Core principles under Article 5 include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability, mandating controllers to demonstrate compliance.

Who is legally or professionally required to comply with GDPR?

GDPR applies to any controller or processor established in the EU, or any non-EU entity offering goods/services to or monitoring the behaviour of EU data subjects, regardless of location. Article 3 defines its extraterritorial scope, capturing global organisations processing personal data of EU residents. Controllers determine processing purposes, while processors act on their behalf; both must appoint a Data Protection Officer (DPO) for public authorities or large-scale systematic monitoring of special category data (Article 37). Personal data includes any information relating to an identifiable natural person, such as IP addresses or genetic data (Article 4).

Does GDPR require an external audit or third-party certification?

No, GDPR does not mandate external audits or third-party certification for compliance. Article 42 encourages voluntary certification mechanisms, seals, or marks to demonstrate compliance, but these are optional and subject to approval by supervisory authorities. Organisations must self-assess via Records of Processing Activities (ROPA) (Article 30), Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35), and accountability measures, with supervisory authorities conducting investigations as needed.

How often should an assessment for GDPR be performed?

GDPR requires ongoing, risk-based assessments rather than fixed intervals, with Data Protection Impact Assessments (DPIAs) conducted prior to high-risk processing and reviewed if risks change. Article 35 mandates DPIAs for systematic monitoring, large-scale special category data processing, or profiling; Article 32 demands continuous evaluation of security measures based on state-of-the-art risks. Controllers must maintain up-to-date ROPA and breach logs, enabling supervisory authorities to verify perpetual accountability.

What are the consequences of non-compliance with GDPR?

Non-compliance with GDPR incurs administrative fines up to €20 million or 4% of total global annual turnover, whichever is higher, for severe violations like unlawful processing or failure to adhere to core principles. Tiered penalties under Article 83 apply: up to €10 million or 2% for lesser infringements (e.g., no DPO). Supervisory authorities enforce via the one-stop-shop for cross-border cases, with data subjects able to seek judicial remedies, including compensation for material/non-material damage (Article 82).

Can GDPR be mapped to other international frameworks?

Yes, GDPR principles such as accountability, data minimisation, and data subject rights are frequently mapped to international frameworks like Brazil's LGPD, California's CCPA, and Japan's APPI. Its global benchmark status enables equivalence assessments for adequacy decisions (Article 45), facilitating data transfers via mechanisms like Standard Contractual Clauses post-Schrems II, though mappings require case-by-case validation by the European Data Protection Board.

What is the first step to begin implementing GDPR?

The first step to implement GDPR is to conduct a comprehensive data mapping and inventory of all personal data processing activities. This informs the Records of Processing Activities (ROPA) under Article 30, identifying legal bases (Article 6), data flows, and risks to prioritise DPIAs, lawful basis documentation, and governance structures like DPO appointment.

What is the primary objective of WELL?

The primary objective of WELL is to advance human health and well-being in buildings through performance-based design, operations, and policies. WELL v2 organizes requirements into 10 concepts—Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community—with 24 mandatory Preconditions and 102 optional Optimizations to earn points toward certification tiers.

Who is legally or professionally required to comply with WELL?

WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification. It applies to building owners, developers, facility managers, and operators across new/existing buildings via pathways like WELL Certification, WELL Core (for leased spaces), and WELL for Residential, targeting real estate, corporate, education, healthcare, and hospitality sectors seeking verified health outcomes.

Does WELL require an external audit or third-party certification?

Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents. PV tests air, water, light, thermal comfort, and sound parameters, with two review rounds (preliminary/final) via IWBI's platform, ensuring measurable outcomes beyond documentation.

How often should an assessment for WELL be performed?

WELL requires recertification every three years, with annual reporting for select features like air quality monitoring. Ongoing assessments via continuous monitoring pathways (e.g., CO₂ ≤900 ppm) and performance testing support compliance; pre-testing is recommended pre-PV to identify gaps.

What are the consequences of non-compliance with WELL?

Non-compliance prevents certification award and incurs fees for curative reviews or appeals. Failed Preconditions block all tiers; operational risks include unverified health performance, lost ESG value, tenant disputes, and recertification denial, with no statutory fines as WELL is voluntary.

Can WELL be mapped to other international frameworks?

Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED. These align overlapping strategies (e.g., air quality, materials), reducing duplication for dual certifications and enabling integrated ESG reporting without altering WELL's standalone requirements.

What is the first step to begin implementing WELL?

The first step is project enrollment/registration on the IWBI digital platform and scorecard development. This defines pathways, targeted tiers (Bronze: 40 points; Silver: 50; Gold: 60; Platinum: 80 with concept minimums), applicable features, and evidence plans, followed by gap analysis and team assembly.

Standards Comparison

GDPR vs WELL

GDPR

Mandatory

2016

EU regulation for personal data protection and privacy

WELL

Voluntary

2014

Building certification for occupant health and well-being.

Quick Verdict

GDPR mandates data privacy compliance for EU data processors worldwide with hefty fines, while WELL voluntarily certifies buildings for occupant health via performance testing. Companies adopt GDPR for legal protection, WELL for wellness differentiation and ESG gains.

Data Privacy

GDPR

Regulation (EU) 2016/679 General Data Protection Regulation

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting non-EU entities processing EU data
Fines up to 4% of global annual turnover
Accountability principle requiring demonstrable compliance via DPIAs
Enhanced data subject rights including erasure and portability
72-hour mandatory data breach notification requirement

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core health concepts with preconditions/optimizations
Point-based certification tiers Bronze-Platinum
Continuous monitoring compliance pathways
Crosswalks with LEED for dual certification

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GDPR Details

What It Is

The General Data Protection Regulation (GDPR), officially Regulation (EU) 2016/679, is a binding EU regulation modernizing data privacy. It protects personal data of EU residents with extraterritorial scope, using a risk-based accountability approach replacing the 1995 Directive.

Key Components

Seven core principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
Data subject rights: access, rectification, erasure ("right to be forgotten"), portability, objection.
Obligations: DPO appointment, DPIAs for high-risk processing, Records of Processing Activities, 72-hour breach notifications.
Enforcement: fines up to €20M or 4% global turnover; one-stop-shop supervision.

Why Organizations Use It

Mandatory for EU data handlers to avoid severe penalties and legal risks. Enhances trust, sets global benchmark (Brussels Effect), aids risk management, supports innovation via privacy-by-design.

Implementation Overview

Gap analysis, policy updates, DPO/DPIA setup, training, vendor contracts. Applies to all sizes/industries processing EU data; ongoing DPA audits, no formal certification.

WELL Details

What It Is

WELL Building Standard (WELL v2) is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach emphasizes measurable indoor environmental quality and organizational policies across new and existing buildings.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions (mandatory pass/fail) and 102 Optimizations (point-earning).
Built on public health and building science research.
Certification tiers: Bronze (40 points), Silver (50), Gold (60), Platinum (80) with concept minimums.

Why Organizations Use It

Enhances occupant health, productivity, and ESG reporting.
Differentiates assets with verified performance, supporting higher rents and retention.
Mitigates risks like poor IEQ; complements LEED for holistic sustainability.
Builds stakeholder trust via rigorous verification.

Implementation Overview

Phased: gap analysis, scorecard, documentation, on-site verification, recertification (3 years).
Applies to offices, residential, portfolios globally.
Requires third-party review and performance testing for air, water, etc.

Key Differences

Aspect	GDPR	WELL
Scope	Personal data protection and privacy	Building health, air, water, wellness
Industry	All sectors processing EU data globally	Real estate, construction, operations
Nature	Mandatory EU regulation with fines	Voluntary performance certification
Testing	DPIAs, audits by DPAs	On-site performance verification testing
Penalties	Up to 4% global turnover fines	Loss of certification, no fines

Scope

GDPR

Personal data protection and privacy

WELL

Building health, air, water, wellness

Industry

GDPR

All sectors processing EU data globally

WELL

Real estate, construction, operations

Nature

GDPR

Mandatory EU regulation with fines

WELL

Voluntary performance certification

Testing

GDPR

DPIAs, audits by DPAs

WELL

On-site performance verification testing

Penalties

GDPR

Up to 4% global turnover fines

WELL

Loss of certification, no fines

Frequently Asked Questions

Common questions about GDPR and WELL

GDPR FAQ

WELL FAQ

You Might also be Interested in These Articles...

What is DORA and which Requirements does the Standard define?

Discover DORA requirements for info security, strict authority monitoring, and steps to achieve compliance. Build a resilient organization with our detailed gui

CMMC Level 3 Implementation Guide: Integrating NIST SP 800-172 Enhanced Controls for APT Defense

Step-by-step CMMC Level 3 guide for DIB contractors. Implement 24 NIST SP 800-172 controls on Level 2. Prep for DIBCAC, C3PAO scoping & 180-day POA&Ms. Boost cy

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how GDPR and WELL compare against other standards

Other GDPR Comparisons

Other WELL Comparisons

Key Components

Seven core principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.

Data subject rights: access, rectification, erasure ("right to be forgotten"), portability, objection.

Obligations: DPO appointment, DPIAs for high-risk processing, Records of Processing Activities, 72-hour breach notifications.

Enforcement: fines up to €20M or 4% global turnover; one-stop-shop supervision.

What It Is

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).

24 Preconditions (mandatory pass/fail) and 102 Optimizations (point-earning).

Built on public health and building science research.

Certification tiers: Bronze (40 points), Silver (50), Gold (60), Platinum (80) with concept minimums.

Aspect

GDPR

WELL

Scope

Personal data protection and privacy

Building health, air, water, wellness

Industry

All sectors processing EU data globally

Real estate, construction, operations

Nature

Mandatory EU regulation with fines

Voluntary performance certification

Testing

DPIAs, audits by DPAs

On-site performance verification testing

Penalties

Up to 4% global turnover fines

Loss of certification, no fines