GDPR

What is GDPR?

GDPR stands for the General Data Protection Regulation the European Union's comprehensive data protection law that came into force on 25 May 2018. It governs how organisations collect, store, process, and transfer personal data about individuals in the European Union, and applies to any organisation anywhere in the world that processes EU residents' personal data, regardless of where that organisation is based.

GDPR replaced the 1995 EU Data Protection Directive with a regulation meaning it became directly enforceable law across all EU member states without requiring national transposition and dramatically raised both the standards for personal data handling and the penalties for failing to meet them. Maximum fines reach €20 million or 4% of global annual turnover, whichever is higher.

That penalty structure got attention. What followed was a global wave of GDPR compliance programmes that, in many organisations, revealed how little operational visibility actually existed over personal data.

Who GDPR applies to

GDPR's territorial scope is broader than many organisations initially assumed. It applies to two categories of entity.

Data controllers are organisations that determine the purposes and means of processing personal data. If you collect customer information, process employee records, or use personal data to make decisions, you're a data controller. Controllers carry the primary compliance obligations.

Data processors are organisations that process personal data on behalf of a controller — cloud providers, SaaS vendors, data analytics firms, marketing agencies. Processors have direct obligations under GDPR and must sign data processing agreements with controllers.

The extraterritorial scope clause is what makes GDPR apply globally. Any organisation outside the EU that offers goods or services to EU residents, or monitors the behaviour of EU residents, falls within GDPR's scope. A US e-commerce company selling to European customers processes their personal data under GDPR. An Indian SaaS company whose European users' data is processed in its platform is a data processor under GDPR.

The seven GDPR principles

GDPR's requirements are built on seven data protection principles that define how personal data must be handled at every stage of its lifecycle.

Lawfulness, fairness, and transparency

Processing must have a legal basis, must be fair to the data subject, and must be transparent about how data is used. Individuals must know their data is being collected and how it will be processed.

Purpose limitation

Personal data collected for one purpose cannot be used for a different, incompatible purpose. Collecting email addresses for order confirmations and then using them for unrelated marketing without consent violates purpose limitation.

Data minimisation

Only the minimum data necessary for the stated purpose should be collected and retained. Collecting additional personal data "in case it's useful later" violates this principle.

Accuracy

Personal data must be kept accurate and up to date. Inaccurate data must be corrected or deleted without delay.

Storage limitation

Personal data should not be retained longer than necessary for the purpose for which it was collected. Indefinite retention without a justified ongoing purpose violates this principle.

Integrity and confidentiality

Personal data must be processed with appropriate security: protection against unauthorised access, accidental loss, destruction, and damage. This is the principle that directly drives the security technology requirement.

Accountability

Controllers must be able to demonstrate compliance with all of the above. Accountability isn't just about having policies — it's about being able to prove that policies are followed in practice.

Lawful bases for processing

Every processing activity must have one of six lawful bases. Processing without a lawful basis is unlawful regardless of how carefully the other principles are followed.

Consent requires a freely given, specific, informed, and unambiguous indication of agreement. Pre-ticked boxes, bundled consent, and consent tied to service provision as a condition don't meet GDPR's standard. Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent.

Contract applies when processing is necessary to perform a contract with the data subject, or to take steps at their request before entering a contract. Processing a customer's address to deliver their order is necessary for contract performance.

Legal obligation covers processing required to comply with law, such as retaining employee payroll records for tax purposes.

Vital interests covers situations where processing is necessary to protect someone's life, typically applied in emergency medical situations.

Public task covers processing necessary for the performance of a task in the public interest or the exercise of official authority.

Legitimate interests is the most flexible basis, covering processing necessary for the legitimate interests of the controller or a third party, provided those interests aren't overridden by the data subject's interests or fundamental rights. It requires a balancing test and cannot be used for processing carried out by public authorities.

Individual rights

GDPR grants individuals eight rights over their personal data that organisations must be operationally equipped to fulfil.

Right to be informed

Individuals must be told what data is collected, why, how long it's kept, and who it's shared with, typically through a privacy notice.

Right of access

Individuals can request a copy of all personal data held about them a Subject Access Request (SAR). Responses are required within one month.

Right to rectification

Inaccurate personal data must be corrected within one month of a request.

Right to erasure

Also called the "right to be forgotten," this allows individuals to request deletion of their personal data in specific circumstances: when the data is no longer necessary, when consent is withdrawn, or when processing was unlawful.

Right to restrict processing

Individuals can request that their data not be actively processed in certain circumstances, such as while a dispute about accuracy is resolved.

Right to data portability

Where processing is based on consent or contract and carried out by automated means, individuals can request their data in a machine-readable format for transfer to another controller.

Right to object

Individuals can object to processing based on legitimate interests or public task, and to direct marketing processing at any time.

Rights related to automated decision-making

Individuals have the right not to be subject to decisions made solely by automated processing that produce significant effects, including profiling, without human intervention.

Each of these rights creates an operational requirement: an organisation must be able to find, compile, correct, delete, or export an individual's personal data across all systems in which it exists, within defined timeframes. That's only possible with a current, comprehensive data inventory.

Breach notification requirements

GDPR's breach notification requirements are among the most operationally demanding provisions. They have two components.

Supervisory authority notification is required within 72 hours of the data controller becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. "Becoming aware" starts the clock not completing the investigation, not confirming the full scope. The notification must include the nature of the breach, categories and approximate number of individuals affected, categories and approximate number of personal data records involved, likely consequences, and measures taken or proposed.

Individual notification is required without undue delay when a breach is likely to result in a high risk to individuals' rights and freedoms for example, when the breach could enable identity theft or financial harm.

The 72-hour window creates pressure that reveals data security programme maturity quickly. An organisation that doesn't know where its personal data is can't determine breach scope within 72 hours. An organisation without continuous lineage tracking can't determine how far the breach propagated. An organisation without immutable audit trails can't produce the evidence the notification requires.

GDPR breach notification is ultimately an argument for investing in data discovery, classification, and lineage before an incident occurs not as a response to one.

What GDPR compliance actually requires technically

GDPR's principles create specific technical requirements that compliance programmes must operationalise.

Data inventory (Article 30)

Records of processing activities must be maintained in writing, made available to supervisory authorities on request, and kept current. This is a continuous data inventory requirement, not a one-time exercise.

Data protection by design and by default (Article 25)

Privacy must be built into systems and processes from the start, not added as an afterthought. Data minimisation must be the default, not an opt-in. This creates requirements for access controls, encryption, and purpose-limiting technical controls.

Security of processing (Article 32)

Appropriate technical and organisational measures must be implemented to ensure a level of security appropriate to the risk. GDPR specifically mentions encryption, pseudonymisation, ongoing confidentiality and integrity, availability and resilience of processing systems, and regular testing and evaluation of security measures.

Data protection impact assessments (Article 35)

High-risk processing activities require formal DPIAs before processing begins. A DPIA requires understanding the full scope of the processing activity — which data types are involved, how data flows, what risks exist, and what mitigations are in place.

International transfers

Personal data can only be transferred outside the EU under specific conditions: to countries with adequacy decisions, under Standard Contractual Clauses, under Binding Corporate Rules, or under other approved mechanisms. Transfers must be documented.

The real thread connecting all of these technical requirements is the same: you can't demonstrate compliance with any of them without knowing where your personal data is, how it flows, who can access it, and whether the current state of your systems matches your stated policies. That continuous visibility is what operationalises GDPR compliance.

GDPR fines and enforcement

GDPR's two-tier penalty structure has produced some of the largest data protection fines in history.

Administrative fines at the lower tier reach €10 million or 2% of global annual turnover for violations of provisions including records of processing activities, data protection by design, processor obligations, and breach notification.

Administrative fines at the upper tier reach €20 million or 4% of global annual turnover for violations of core principles, lawful bases for processing, consent conditions, and data subject rights.

Notable enforcement actions include: Meta fined €1.2 billion by the Irish DPC for unlawful data transfers; Amazon fined €746 million by Luxembourg; Google fined €150 million by France's CNIL; British Airways and Marriott fined hundreds of millions immediately after GDPR came into force following data breaches.

Frequently asked questions

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It is the European Union's comprehensive data protection law, which came into force on 25 May 2018, governing how organisations collect, store, process, and transfer personal data about individuals in the EU.

Who does GDPR apply to?

GDPR applies to any organisation that processes personal data about EU residents, regardless of where the organisation is based. Organisations based outside the EU that offer goods or services to EU residents, or that monitor the behaviour of EU residents, fall within GDPR's scope.

What is the GDPR breach notification requirement?

GDPR requires data controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. When a breach is likely to result in a high risk to individuals, the affected individuals must also be notified without undue delay.

What are the GDPR fines?

GDPR fines operate on two tiers. The lower tier reaches €10 million or 2% of global annual turnover for violations including breach notification failures and records requirements. The upper tier reaches €20 million or 4% of global annual turnover for violations of core principles, lawful bases, and data subject rights. The higher of the two figures applies.

What is a lawful basis under GDPR?

Every GDPR processing activity requires a lawful basis. The six lawful bases are: consent from the data subject, necessity for contract performance, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests of the controller or a third party, subject to a balancing test.