GDPR
General Data Protection Regulation — EU Regulation (EU) 2016/679
Standard Introduction
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law that came into effect on May 25, 2018. It governs how organizations collect, use, store, share, and protect personal data of individuals within the EU and European Economic Area (EEA). Despite being an EU regulation, GDPR has extraterritorial reach—any organization worldwide that processes EU residents' personal data must comply. The regulation fundamentally shifted the global approach to data privacy, granting individuals unprecedented control over their personal information and imposing strict accountability requirements on data controllers and processors.
GDPR is built on seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must have a lawful basis for processing (such as consent, contract, legal obligation, or legitimate interest), implement appropriate technical and organizational measures to ensure data security, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, appoint a Data Protection Officer when required, and report data breaches to supervisory authorities within 72 hours. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. The regulation also grants individuals rights including access, rectification, erasure (right to be forgotten), data portability, and objection to processing.
Extraterritorial Reach
Applies to any organization worldwide that processes personal data of EU/EEA residents, regardless of where the company is based.
Data Subject Rights
Grants individuals rights to access, rectify, erase, port, and restrict processing of their personal data.
Enforcement & Fines
Supervisory authorities can impose fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.
list_alt Core Principles
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Who Needs to Comply?
Any organization worldwide that collects, processes, or stores personal data of EU/EEA residents — including companies with no physical presence in Europe.
Key Requirements
Lawful Basis for Processing
Organizations must establish a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing any personal data.
Data Protection Impact Assessments
Required for high-risk processing activities. Organizations must assess risks to individuals and implement measures to mitigate them before processing begins.
Breach Notification
Data breaches must be reported to the supervisory authority within 72 hours. Affected individuals must also be notified if the breach poses a high risk.
Data Protection Officer (DPO)
Mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing special category data.
International Data Transfers
Transfers outside the EEA require adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions.
Implementation Roadmap
Prepare & establish accountability
Secure executive sponsorship, appoint a data protection lead or DPO where required, and agree a governance model with clear roles. Set up a records-of-processing (ROPA) template and an inventory approach so every business unit knows what is expected.
Data mapping & gap analysis
Map all personal data flows across systems, vendors, and jurisdictions, and complete your ROPA under Art. 30. Assess each activity against GDPR requirements — lawful basis, retention, security, and transfers — to produce a prioritised remediation backlog.
Implement lawful bases, notices & DSAR processes
Assign and document a lawful basis for every processing activity, refresh privacy notices, and stand up an operational data-subject-rights workflow that can meet the one-month DSAR deadline. Where you rely on consent (e.g. cookies, marketing), implement freely-given, granular, revocable consent capture.
Transfers, DPIAs & breach response
Put transfer mechanisms in place (SCCs per Decision 2021/914 with transfer impact assessments, or reliance on the EU-US Data Privacy Framework), and run DPIAs for high-risk activities such as large-scale profiling or AI model training. Deploy a breach-response runbook that can detect, assess, and notify within 72 hours.
Audit, monitor & continuously improve
Establish periodic audits, vendor re-assessments, and DPIA reviews, and track regulatory guidance (EDPB, national DPAs) as it evolves. Maintain training, metrics, and management reporting so accountability is demonstrable on an ongoing basis.
Compliance Checklist
checklist Governance & Accountability
checklist Data Subject Rights
checklist Security & Breach Response
checklist International Transfers
GDPR vs ISO 27001 vs SOC 2
GDPR is a privacy law, while ISO 27001 and SOC 2 are security frameworks that support but do not replace it.
| Aspect | GDPR | ISO 27001 | SOC 2 |
|---|---|---|---|
| Nature / type | Binding data-protection law | International information-security management standard | Attestation framework based on AICPA Trust Services Criteria |
| Primary scope | Processing of personal data and individuals' rights | Organisation-wide information security management system (ISMS) | Controls at a service organisation over security (and optionally availability, confidentiality, privacy) |
| Mandatory? | Legally mandatory when in scope | Voluntary, though often contractually required | Voluntary, commonly demanded by enterprise customers |
| Geographic focus | EU/EEA data subjects, with extraterritorial reach | Global, jurisdiction-neutral | Primarily US market, used globally |
| Certification / attestation | No official certification; accountability must be demonstrated | Accredited certification against the standard | Independent auditor report (Type I or Type II) |
| How they complement each other | Sets the legal privacy obligations that must be met | Provides the security controls that satisfy GDPR's 'appropriate measures' | Demonstrates operating effectiveness of those controls to customers |
Common Misconceptions
Legitimate interest is a free pass to process any data you want.
Legitimate interest requires a documented balancing test and fails whenever individuals' rights override your interest; it is unsuitable for intrusive tracking, special-category data, or processing people would not reasonably expect.
GDPR only applies to companies based in the EU.
Art. 3 extends GDPR to any organisation worldwide that targets or monitors individuals in the EU/EEA, so a company with no EU presence can still be fully in scope and may need an EU representative.
You always need consent to process personal data.
Consent is only one of six lawful bases; contract, legal obligation, and legitimate interest are often more appropriate, and relying on consent when another basis fits can create unnecessary friction and revocation risk.
GDPR is just an IT security requirement.
Security is only part of it — GDPR governs lawful basis, transparency, purpose limitation, data-subject rights, transfers, and accountability, so a technically secure system can still be seriously non-compliant.
Small businesses and startups are exempt.
There is no size-based exemption; the core principles, rights, and breach obligations apply to any organisation processing in-scope personal data, with only narrow relief such as reduced record-keeping for some firms under 250 employees.
Having a privacy policy on the website means we're compliant.
A privacy notice is one required artefact, not proof of compliance — accountability demands a lawful basis for each activity, a ROPA, working data-subject processes, transfer safeguards, and demonstrable security controls behind the words.
Penalties & Enforcement
Fines up to EUR 20 million or 4% of global annual turnover (whichever is higher). Supervisory authorities can also order processing bans and data erasure.
Frequently Asked Questions
Does GDPR apply to companies outside the EU (for example in the US or Asia)?
expand_more
Yes. Under Art. 3, GDPR applies to any organisation, wherever established, that offers goods or services to individuals in the EU/EEA or monitors their behaviour. A US or Asian company with no EU office can still be fully in scope and may need to appoint an EU representative under Art. 27.
What is a lawful basis, and when can I rely on legitimate interest?
expand_more
Every processing activity needs one of the six lawful bases in Art. 6 (consent, contract, legal obligation, vital interests, public task, or legitimate interests). Legitimate interest is available when you have a genuine business need that is not overridden by the individual's rights, but you must document a Legitimate Interests Assessment (LIA) balancing test. It cannot be used to justify processing people would not reasonably expect, and it is generally unsuitable for sensitive data or intrusive tracking.
When is a DPIA required?
expand_more
A Data Protection Impact Assessment is mandatory when processing is likely to result in a high risk to individuals — for example large-scale profiling, systematic monitoring of public areas, processing of special-category data at scale, or many AI and automated-decision systems. National DPAs publish lists of operations that always require one. If the DPIA shows residual high risk you cannot mitigate, you must consult your supervisory authority before starting.
Do I need to appoint a Data Protection Officer (DPO)?
expand_more
A DPO is mandatory if you are a public authority, if your core activities involve regular and systematic large-scale monitoring, or if you process special-category or criminal-offence data at large scale. Many organisations appoint one voluntarily as good practice. The DPO must be independent, report to the highest management level, and cannot be penalised for performing the role.
How do I handle a data subject access request (DSAR)?
expand_more
Verify the requester's identity, then provide a copy of their personal data and the required contextual information (purposes, recipients, retention, sources) within one month, free of charge in most cases. The deadline can be extended by two further months for complex or numerous requests, provided you inform the individual. Have a repeatable process to locate data across all systems, and redact third-party information appropriately.
What are the rules for international transfers after Schrems II?
expand_more
Schrems II invalidated the Privacy Shield and confirmed that Standard Contractual Clauses remain valid only if the data receives essentially equivalent protection in the destination. For transfers to non-adequate countries you must use the 2021 SCCs (Decision 2021/914), perform a Transfer Impact Assessment, and add supplementary measures (such as encryption) where local law undermines the safeguards. Transfers to certified US organisations can now rely on the EU-US Data Privacy Framework adopted in 2023.
What must I do within 72 hours of a personal data breach?
expand_more
You must notify the competent supervisory authority within 72 hours of becoming aware of a breach, unless it is unlikely to result in a risk to individuals. The notification should describe the nature of the breach, the categories and approximate numbers affected, the likely consequences, and the measures taken. If the breach is likely to cause high risk, you must also inform affected individuals without undue delay, and you must log the incident internally regardless of whether it is reportable.
How does GDPR apply to AI and large-scale data processing, including model training?
expand_more
GDPR applies to any personal data used to train, fine-tune, or run AI systems, so you need a documented lawful basis for the training data and must respect purpose limitation and data minimisation. High-risk AI and large-scale profiling typically require a DPIA, and you must be transparent about the logic involved. Where AI makes solely automated decisions with legal or similarly significant effects, Art. 22 gives individuals the right to human intervention and to contest the outcome.
What are the consent requirements for cookies and tracking?
expand_more
Non-essential cookies and similar tracking technologies generally require prior, freely-given, specific, informed, and unambiguous opt-in consent — pre-ticked boxes and cookie walls that force acceptance are not valid. Users must be able to reject as easily as they accept, and you must be able to demonstrate that consent was obtained. The ePrivacy rules operate alongside GDPR, so a legitimate-interest basis is not usually available for advertising or analytics cookies.
How long can I keep personal data (retention limits)?
expand_more
GDPR sets no fixed retention period; instead the storage-limitation principle requires you to keep data only as long as necessary for the purpose it was collected for. You should define, document, and enforce retention periods per data category, justified by business need or legal obligation, and then securely delete or anonymise data. A written retention schedule is the practical way to demonstrate compliance.
How are GDPR fines calculated, and how large can they be?
expand_more
There are two tiers: up to €10M or 2% of global annual turnover for lower-level breaches (e.g. records, security), and up to €20M or 4% of global annual turnover for more serious breaches (e.g. core principles, lawful basis, data-subject rights) — whichever is higher. Regulators weigh factors such as the nature, gravity, and duration of the infringement, whether it was intentional, mitigation efforts, and cooperation. Fines are not automatic, but non-compliance can also trigger orders to stop processing, which is often more disruptive.
What is the difference between a controller and a processor?
expand_more
A controller determines the purposes and means of processing personal data, while a processor acts only on the controller's documented instructions. Controllers carry primary accountability, but processors have direct obligations too — including security, sub-processor controls, breach notification to the controller, and assisting with data-subject rights. The relationship must be governed by a written Data Processing Agreement (Art. 28).
Are small businesses or non-profits exempt from GDPR?
expand_more
No. GDPR applies regardless of organisation size or profit motive whenever you process the personal data of individuals in scope. Small organisations get limited relief — for example, those under 250 employees are exempt from parts of the record-keeping duty unless processing is not occasional, is high-risk, or involves special-category data — but the core principles, rights, and breach rules still apply.
Official Documentation
GDPR Official Text (EU) 2016/679
PDF • 1.8 MB • All EU Languages • Regulation
EUR-Lex Official Portal
External Link • eur-lex.europa.eu • Official EU Law
GDPR Compliance Toolkit
ZIP • 28 MB • Templates, Checklists & DPIAs