What is the primary objective of **GDPR**?

**The primary objective of **GDPR** is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, while ensuring the free movement of personal data within the EU.** Enacted as Regulation (EU) 2016/679 and enforceable since May 25, 2018, it replaces the fragmented 1995 Data Protection Directive by establishing uniform rules directly applicable across all EU member states. Core principles under Article 5 include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability, mandating controllers to demonstrate compliance.

Who is legally or professionally required to comply with **GDPR**?

**GDPR applies to any controller or processor established in the EU, or any non-EU entity offering goods/services to or monitoring the behaviour of EU data subjects, regardless of location.** Article 3 defines its extraterritorial scope, capturing global organisations processing personal data of EU residents. Controllers determine processing purposes, while processors act on their behalf; both must appoint a **Data Protection Officer (DPO)** for public authorities or large-scale systematic monitoring of special category data (Article 37). Personal data includes any information relating to an identifiable natural person, such as IP addresses or genetic data (Article 4).

Does **GDPR** require an external audit or third-party certification?

**No, GDPR does not mandate external audits or third-party certification for compliance.** Article 42 encourages voluntary certification mechanisms, seals, or marks to demonstrate compliance, but these are optional and subject to approval by supervisory authorities. Organisations must self-assess via **Records of Processing Activities (ROPA)** (Article 30), **Data Protection Impact Assessments (DPIAs)** for high-risk processing (Article 35), and accountability measures, with supervisory authorities conducting investigations as needed.

How often should an assessment for **GDPR** be performed?

**GDPR requires ongoing, risk-based assessments rather than fixed intervals, with **Data Protection Impact Assessments (DPIAs)** conducted prior to high-risk processing and reviewed if risks change.** Article 35 mandates DPIAs for systematic monitoring, large-scale special category data processing, or profiling; Article 32 demands continuous evaluation of security measures based on state-of-the-art risks. Controllers must maintain up-to-date ROPA and breach logs, enabling supervisory authorities to verify perpetual accountability.

What are the consequences of non-compliance with **GDPR**?

**Non-compliance with GDPR incurs administrative fines up to €20 million or 4% of total global annual turnover, whichever is higher, for severe violations like unlawful processing or failure to adhere to core principles.** Tiered penalties under Article 83 apply: up to €10 million or 2% for lesser infringements (e.g., no DPO). Supervisory authorities enforce via the one-stop-shop for cross-border cases, with data subjects able to seek judicial remedies, including compensation for material/non-material damage (Article 82).

Can **GDPR** be mapped to other international frameworks?

**Yes, GDPR principles such as accountability, data minimisation, and data subject rights are frequently mapped to international frameworks like Brazil's LGPD, California's CCPA, and Japan's APPI.** Its global benchmark status enables equivalence assessments for adequacy decisions (Article 45), facilitating data transfers via mechanisms like Standard Contractual Clauses post-Schrems II, though mappings require case-by-case validation by the European Data Protection Board.

What is the first step to begin implementing **GDPR**?

**The first step to implement GDPR is to conduct a comprehensive data mapping and inventory of all personal data processing activities.** This informs the **Records of Processing Activities (ROPA)** under Article 30, identifying legal bases (Article 6), data flows, and risks to prioritise DPIAs, lawful basis documentation, and governance structures like DPO appointment.

What is the primary objective of **WELL**?

**The primary objective of WELL is to advance human health and well-being in buildings through performance-based design, operations, and policies.** WELL v2 organizes requirements into **10 concepts**—**Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community**—with **24 mandatory Preconditions** and **102 optional Optimizations** to earn points toward certification tiers.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates, but professionally required for organizations pursuing certification.** It applies to building owners, developers, facility managers, and operators across new/existing buildings via pathways like **WELL Certification**, **WELL Core** (for leased spaces), and **WELL for Residential**, targeting real estate, corporate, education, healthcare, and hospitality sectors seeking verified health outcomes.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL mandates third-party documentation review and on-site performance verification (PV) by authorized WELL Performance Testing Agents.** PV tests air, water, light, thermal comfort, and sound parameters, with two review rounds (preliminary/final) via IWBI's platform, ensuring measurable outcomes beyond documentation.

How often should an assessment for **WELL** be performed?

**WELL requires recertification every three years, with annual reporting for select features like air quality monitoring.** Ongoing assessments via continuous monitoring pathways (e.g., CO₂ ≤900 ppm) and performance testing support compliance; pre-testing is recommended pre-PV to identify gaps.

What are the consequences of non-compliance with **WELL**?

**Non-compliance prevents certification award and incurs fees for curative reviews or appeals.** Failed Preconditions block all tiers; operational risks include unverified health performance, lost ESG value, tenant disputes, and recertification denial, with no statutory fines as WELL is voluntary.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** These align overlapping strategies (e.g., air quality, materials), reducing duplication for dual certifications and enabling integrated ESG reporting without altering WELL's standalone requirements.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment/registration on the IWBI digital platform and scorecard development.** This defines pathways, targeted tiers (**Bronze: 40 points; Silver: 50; Gold: 60; Platinum: 80** with concept minimums), applicable features, and evidence plans, followed by gap analysis and team assembly.

GDPR vs WELL | GRADUM

Standards Comparison

GDPR

Mandatory

2016

EU regulation for personal data protection and privacy

WELL

Voluntary

2014

Building certification for occupant health and well-being.

Quick Verdict

GDPR mandates data privacy compliance for EU data processors worldwide with hefty fines, while WELL voluntarily certifies buildings for occupant health via performance testing. Companies adopt GDPR for legal protection, WELL for wellness differentiation and ESG gains.

Data Privacy

GDPR

Regulation (EU) 2016/679 General Data Protection Regulation

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting non-EU entities processing EU data
Fines up to 4% of global annual turnover
Accountability principle requiring demonstrable compliance via DPIAs
Enhanced data subject rights including erasure and portability
72-hour mandatory data breach notification requirement

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Mandatory on-site performance verification testing
10 core health concepts with preconditions/optimizations
Point-based certification tiers Bronze-Platinum
Continuous monitoring compliance pathways
Crosswalks with LEED for dual certification

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GDPR Details

What It Is

The General Data Protection Regulation (GDPR), officially Regulation (EU) 2016/679, is a binding EU regulation modernizing data privacy. It protects personal data of EU residents with extraterritorial scope, using a risk-based accountability approach replacing the 1995 Directive.

Key Components

Seven core principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
Data subject rights: access, rectification, erasure ("right to be forgotten"), portability, objection.
Obligations: DPO appointment, DPIAs for high-risk processing, Records of Processing Activities, 72-hour breach notifications.
Enforcement: fines up to €20M or 4% global turnover; one-stop-shop supervision.

Why Organizations Use It

Mandatory for EU data handlers to avoid severe penalties and legal risks. Enhances trust, sets global benchmark (Brussels Effect), aids risk management, supports innovation via privacy-by-design.

Implementation Overview

Gap analysis, policy updates, DPO/DPIA setup, training, vendor contracts. Applies to all sizes/industries processing EU data; ongoing DPA audits, no formal certification.

WELL Details

What It Is

WELL Building Standard (WELL v2) is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies. Its people-first approach emphasizes measurable indoor environmental quality and organizational policies across new and existing buildings.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions (mandatory pass/fail) and 102 Optimizations (point-earning).
Built on public health and building science research.
Certification tiers: Bronze (40 points), Silver (50), Gold (60), Platinum (80) with concept minimums.

Why Organizations Use It

Enhances occupant health, productivity, and ESG reporting.
Differentiates assets with verified performance, supporting higher rents and retention.
Mitigates risks like poor IEQ; complements LEED for holistic sustainability.
Builds stakeholder trust via rigorous verification.

Implementation Overview

Phased: gap analysis, scorecard, documentation, on-site verification, recertification (3 years).
Applies to offices, residential, portfolios globally.
Requires third-party review and performance testing for air, water, etc.

Key Differences

Aspect	GDPR	WELL
Scope	Personal data protection and privacy	Building health, air, water, wellness
Industry	All sectors processing EU data globally	Real estate, construction, operations
Nature	Mandatory EU regulation with fines	Voluntary performance certification
Testing	DPIAs, audits by DPAs	On-site performance verification testing
Penalties	Up to 4% global turnover fines	Loss of certification, no fines

Scope

GDPR

Personal data protection and privacy

WELL

Building health, air, water, wellness

Industry

GDPR

All sectors processing EU data globally

WELL

Real estate, construction, operations

Nature

GDPR

Mandatory EU regulation with fines

WELL

Voluntary performance certification

Testing

GDPR

DPIAs, audits by DPAs

WELL

On-site performance verification testing

Penalties

GDPR

Up to 4% global turnover fines

WELL

Loss of certification, no fines

Frequently Asked Questions

Common questions about GDPR and WELL

GDPR FAQ

WELL FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Govern Function Deep Dive: Building Executive Cybersecurity Governance from Scratch

Step-by-step blueprint for NIST CSF 2.0 Govern function: templates, RACI matrices, metrics to elevate cybersecurity governance to boardroom level. Reduce breach

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Translate CIS Controls v8.1 to cloud-native: Kubernetes patterns for IAM, logging, vuln mgmt, hardening on AWS, Azure, GCP + IaC. Practical playbook for teams.

Image this: What if GDPR would have NOT been implemented by the EU

What if the EU never implemented GDPR? Explore this hypothetical: consumer data protection in Dec 2025, key differences, pros/cons for users & companies. Read t

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

DORA vs ISO 22301

Discover DORA vs ISO 22301: EU finance ICT resilience regulation vs global BCMS standard. Uncover differences, compliance strategies & boost resilience now!

Six Sigma vs ISO 55001

Six Sigma vs ISO 55001: DMAIC defect mastery meets SAMP asset lifecycle governance. Compare for process excellence, risk control & compliance. Optimize now!

ISO 45001 vs FDA 21 CFR Part 11

Compare ISO 45001 vs FDA 21 CFR Part 11: OH&S risk mgmt & leadership vs electronic records integrity. Unlock integrated compliance insights for life sciences. Optimize now!

GDPR

WELL

Quick Verdict

GDPR

Key Features

WELL

Key Features

Detailed Analysis

GDPR Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

GDPR FAQ

What is the primary objective of GDPR?

Who is legally or professionally required to comply with GDPR?

Does GDPR require an external audit or third-party certification?

How often should an assessment for GDPR be performed?

What are the consequences of non-compliance with GDPR?

Can GDPR be mapped to other international frameworks?

What is the first step to begin implementing GDPR?

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

You Might also be Interested in These Articles...

NIST CSF 2.0 Govern Function Deep Dive: Building Executive Cybersecurity Governance from Scratch

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Image this: What if GDPR would have NOT been implemented by the EU

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

DORA vs ISO 22301

Six Sigma vs ISO 55001

ISO 45001 vs FDA 21 CFR Part 11