verified_user
Standardful
Homechevron_rightStandardschevron_rightGDPR
ActiveInternational Standardupdate Standard Updated: May 2018fact_check Fact checked: Jun 28, 2026

GDPR

General Data Protection Regulation — EU Regulation (EU) 2016/679

apartmentPublishing Organization:European Union

Standard Introduction

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law that came into effect on May 25, 2018. It governs how organizations collect, use, store, share, and protect personal data of individuals within the EU and European Economic Area (EEA). Despite being an EU regulation, GDPR has extraterritorial reach—any organization worldwide that processes EU residents' personal data must comply. The regulation fundamentally shifted the global approach to data privacy, granting individuals unprecedented control over their personal information and imposing strict accountability requirements on data controllers and processors.

GDPR is built on seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must have a lawful basis for processing (such as consent, contract, legal obligation, or legitimate interest), implement appropriate technical and organizational measures to ensure data security, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, appoint a Data Protection Officer when required, and report data breaches to supervisory authorities within 72 hours. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. The regulation also grants individuals rights including access, rectification, erasure (right to be forgotten), data portability, and objection to processing.

public

Extraterritorial Reach

Applies to any organization worldwide that processes personal data of EU/EEA residents, regardless of where the company is based.

person

Data Subject Rights

Grants individuals rights to access, rectify, erase, port, and restrict processing of their personal data.

gavel

Enforcement & Fines

Supervisory authorities can impose fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.

list_alt Core Principles

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Who Needs to Comply?

groups

Any organization worldwide that collects, processes, or stores personal data of EU/EEA residents — including companies with no physical presence in Europe.

Key Requirements

1

Lawful Basis for Processing

Organizations must establish a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing any personal data.

2

Data Protection Impact Assessments

Required for high-risk processing activities. Organizations must assess risks to individuals and implement measures to mitigate them before processing begins.

3

Breach Notification

Data breaches must be reported to the supervisory authority within 72 hours. Affected individuals must also be notified if the breach poses a high risk.

4

Data Protection Officer (DPO)

Mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing special category data.

5

International Data Transfers

Transfers outside the EEA require adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare & establish accountability

Secure executive sponsorship, appoint a data protection lead or DPO where required, and agree a governance model with clear roles. Set up a records-of-processing (ROPA) template and an inventory approach so every business unit knows what is expected.

2
Phase 2schedule Duration: 4-8 weeks

Data mapping & gap analysis

Map all personal data flows across systems, vendors, and jurisdictions, and complete your ROPA under Art. 30. Assess each activity against GDPR requirements — lawful basis, retention, security, and transfers — to produce a prioritised remediation backlog.

3
Phase 3schedule Duration: 6-10 weeks

Implement lawful bases, notices & DSAR processes

Assign and document a lawful basis for every processing activity, refresh privacy notices, and stand up an operational data-subject-rights workflow that can meet the one-month DSAR deadline. Where you rely on consent (e.g. cookies, marketing), implement freely-given, granular, revocable consent capture.

4
Phase 4schedule Duration: 6-12 weeks

Transfers, DPIAs & breach response

Put transfer mechanisms in place (SCCs per Decision 2021/914 with transfer impact assessments, or reliance on the EU-US Data Privacy Framework), and run DPIAs for high-risk activities such as large-scale profiling or AI model training. Deploy a breach-response runbook that can detect, assess, and notify within 72 hours.

5
Phase 5schedule Duration: Ongoing

Audit, monitor & continuously improve

Establish periodic audits, vendor re-assessments, and DPIA reviews, and track regulatory guidance (EDPB, national DPAs) as it evolves. Maintain training, metrics, and management reporting so accountability is demonstrable on an ongoing basis.

Compliance Checklist

0 / 20

checklist Governance & Accountability

checklist Data Subject Rights

checklist Security & Breach Response

checklist International Transfers

GDPR vs ISO 27001 vs SOC 2

GDPR is a privacy law, while ISO 27001 and SOC 2 are security frameworks that support but do not replace it.

AspectGDPRISO 27001SOC 2
Nature / typeBinding data-protection lawInternational information-security management standardAttestation framework based on AICPA Trust Services Criteria
Primary scopeProcessing of personal data and individuals' rightsOrganisation-wide information security management system (ISMS)Controls at a service organisation over security (and optionally availability, confidentiality, privacy)
Mandatory?Legally mandatory when in scopeVoluntary, though often contractually requiredVoluntary, commonly demanded by enterprise customers
Geographic focusEU/EEA data subjects, with extraterritorial reachGlobal, jurisdiction-neutralPrimarily US market, used globally
Certification / attestationNo official certification; accountability must be demonstratedAccredited certification against the standardIndependent auditor report (Type I or Type II)
How they complement each otherSets the legal privacy obligations that must be metProvides the security controls that satisfy GDPR's 'appropriate measures'Demonstrates operating effectiveness of those controls to customers

Common Misconceptions

cancel
Myth

Legitimate interest is a free pass to process any data you want.

check_circle
Reality

Legitimate interest requires a documented balancing test and fails whenever individuals' rights override your interest; it is unsuitable for intrusive tracking, special-category data, or processing people would not reasonably expect.

cancel
Myth

GDPR only applies to companies based in the EU.

check_circle
Reality

Art. 3 extends GDPR to any organisation worldwide that targets or monitors individuals in the EU/EEA, so a company with no EU presence can still be fully in scope and may need an EU representative.

cancel
Myth

You always need consent to process personal data.

check_circle
Reality

Consent is only one of six lawful bases; contract, legal obligation, and legitimate interest are often more appropriate, and relying on consent when another basis fits can create unnecessary friction and revocation risk.

cancel
Myth

GDPR is just an IT security requirement.

check_circle
Reality

Security is only part of it — GDPR governs lawful basis, transparency, purpose limitation, data-subject rights, transfers, and accountability, so a technically secure system can still be seriously non-compliant.

cancel
Myth

Small businesses and startups are exempt.

check_circle
Reality

There is no size-based exemption; the core principles, rights, and breach obligations apply to any organisation processing in-scope personal data, with only narrow relief such as reduced record-keeping for some firms under 250 employees.

cancel
Myth

Having a privacy policy on the website means we're compliant.

check_circle
Reality

A privacy notice is one required artefact, not proof of compliance — accountability demands a lawful basis for each activity, a ROPA, working data-subject processes, transfer safeguards, and demonstrable security controls behind the words.

Penalties & Enforcement

warning

Fines up to EUR 20 million or 4% of global annual turnover (whichever is higher). Supervisory authorities can also order processing bans and data erasure.

Frequently Asked Questions

Does GDPR apply to companies outside the EU (for example in the US or Asia)?

expand_more

Yes. Under Art. 3, GDPR applies to any organisation, wherever established, that offers goods or services to individuals in the EU/EEA or monitors their behaviour. A US or Asian company with no EU office can still be fully in scope and may need to appoint an EU representative under Art. 27.

What is a lawful basis, and when can I rely on legitimate interest?

expand_more

Every processing activity needs one of the six lawful bases in Art. 6 (consent, contract, legal obligation, vital interests, public task, or legitimate interests). Legitimate interest is available when you have a genuine business need that is not overridden by the individual's rights, but you must document a Legitimate Interests Assessment (LIA) balancing test. It cannot be used to justify processing people would not reasonably expect, and it is generally unsuitable for sensitive data or intrusive tracking.

When is a DPIA required?

expand_more

A Data Protection Impact Assessment is mandatory when processing is likely to result in a high risk to individuals — for example large-scale profiling, systematic monitoring of public areas, processing of special-category data at scale, or many AI and automated-decision systems. National DPAs publish lists of operations that always require one. If the DPIA shows residual high risk you cannot mitigate, you must consult your supervisory authority before starting.

Do I need to appoint a Data Protection Officer (DPO)?

expand_more

A DPO is mandatory if you are a public authority, if your core activities involve regular and systematic large-scale monitoring, or if you process special-category or criminal-offence data at large scale. Many organisations appoint one voluntarily as good practice. The DPO must be independent, report to the highest management level, and cannot be penalised for performing the role.

How do I handle a data subject access request (DSAR)?

expand_more

Verify the requester's identity, then provide a copy of their personal data and the required contextual information (purposes, recipients, retention, sources) within one month, free of charge in most cases. The deadline can be extended by two further months for complex or numerous requests, provided you inform the individual. Have a repeatable process to locate data across all systems, and redact third-party information appropriately.

What are the rules for international transfers after Schrems II?

expand_more

Schrems II invalidated the Privacy Shield and confirmed that Standard Contractual Clauses remain valid only if the data receives essentially equivalent protection in the destination. For transfers to non-adequate countries you must use the 2021 SCCs (Decision 2021/914), perform a Transfer Impact Assessment, and add supplementary measures (such as encryption) where local law undermines the safeguards. Transfers to certified US organisations can now rely on the EU-US Data Privacy Framework adopted in 2023.

What must I do within 72 hours of a personal data breach?

expand_more

You must notify the competent supervisory authority within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk to individuals. The notification should describe the nature of the breach, the categories and approximate numbers affected, the likely consequences, and the measures taken. If the breach is likely to cause high risk, you must also inform affected individuals without undue delay, and you must log the incident internally regardless of whether it is reportable.

How does GDPR apply to AI and large-scale data processing, including model training?

expand_more

GDPR applies to any personal data used to train, fine-tune, or run AI systems, so you need a documented lawful basis for the training data and must respect purpose limitation and data minimisation. High-risk AI and large-scale profiling typically require a DPIA, and you must be transparent about the logic involved. Where AI makes solely automated decisions with legal or similarly significant effects, Art. 22 gives individuals the right to human intervention and to contest the outcome.

What are the consent requirements for cookies and tracking?

expand_more

Non-essential cookies and similar tracking technologies generally require prior, freely-given, specific, informed, and unambiguous opt-in consent — pre-ticked boxes and cookie walls that force acceptance are not valid. Users must be able to reject as easily as they accept, and you must be able to demonstrate that consent was obtained. The ePrivacy rules operate alongside GDPR, so a legitimate-interest basis is not usually available for advertising or analytics cookies.

How long can I keep personal data (retention limits)?

expand_more

GDPR sets no fixed retention period; instead the storage-limitation principle requires you to keep data only as long as necessary for the purpose it was collected for. You should define, document, and enforce retention periods per data category, justified by business need or legal obligation, and then securely delete or anonymise data. A written retention schedule is the practical way to demonstrate compliance.

How are GDPR fines calculated, and how large can they be?

expand_more

There are two tiers: up to €10M or 2% of global annual turnover for lower-level breaches (e.g. records, security), and up to €20M or 4% of global annual turnover for more serious breaches (e.g. core principles, lawful basis, data-subject rights) — whichever is higher. Regulators weigh factors such as the nature, gravity, and duration of the infringement, whether it was intentional, mitigation efforts, and cooperation. Fines are not automatic, but non-compliance can also trigger orders to stop processing, which is often more disruptive.

What is the difference between a controller and a processor?

expand_more

A controller determines the purposes and means of processing personal data, while a processor acts only on the controller's documented instructions. Controllers carry primary accountability, but processors have direct obligations too — including security, sub-processor controls, breach notification to the controller, and assisting with data-subject rights. The relationship must be governed by a written Data Processing Agreement (Art. 28).

Are small businesses or non-profits exempt from GDPR?

expand_more

No. GDPR applies regardless of organisation size or profit motive whenever you process the personal data of individuals in scope. Small organisations get limited relief — for example, those under 250 employees are exempt from parts of the record-keeping duty unless processing is not occasional, is high-risk, or involves special-category data — but the core principles, rights, and breach rules still apply.

Official Documentation

View All

Implementation Timeline

description
Jan 2012
European Commission proposes replacing the 1995 Data Protection Directive with a directly applicable EU regulation
gavel
Apr 2016
Regulation (EU) 2016/679 (GDPR) formally adopted by the European Parliament and Council
check_circle
May 2018
GDPR becomes applicable across the EU/EEA, replacing national laws transposing the 1995 directive
warning
Jul 2020
CJEU Schrems II (Case C-311/18) invalidates the EU-US Privacy Shield and tightens international transfer rules
sync
Jun 2021
Commission Decision 2021/914 publishes updated Standard Contractual Clauses for international transfers
public
Jul 2023
EU-US Data Privacy Framework adequacy decision adopted, restoring a streamlined transfer mechanism
smart_toy
Jul 2024
EDPB clarifies legitimate-interest basis for AI training; DPC and noyb actions force consent-flow changes for generative AI
handshake
May 2025
Political agreement on the GDPR Procedural Regulation harmonising cross-border cooperation between supervisory authorities
update
2026
Procedural Regulation enters into force alongside continuing enforcement at the GDPR / EU AI Act intersection

Related Categories