01
Lawfulness, fairness, transparency
Process personal data lawfully, fairly, and in a way people can understand. Every processing activity needs a lawful basis and clear notice.
Compliance guide · ~11 min read · Updated June 2026
What is GDPR?
GDPRstands for the General Data Protection Regulation, the EU's data privacy law (Regulation (EU) 2016/679). Enforceable since 25 May 2018, it governs how organisations collect, use, and protect the personal data of people in the EU and EEA, gives individuals strong rights over their data, and backs the rules with fines of up to €20 million or 4% of global annual turnover.
- Type
- EU Regulation
- In force
- 25 May 2018
- Citation
- (EU) 2016/679
- Max fine
- €20M / 4%
01 · Definition
What is GDPR?
GDPRstands for the General Data Protection Regulation. It is the European Union's comprehensive data privacy law, formally Regulation (EU) 2016/679. It was adopted in April 2016 and became enforceable on 25 May 2018, replacing the 1995 Data Protection Directive and harmonising data protection law across all EU member states.
At its core, GDPR does two things. It gives individuals (called data subjects) a set of strong, enforceable rights over their personal data, and it places obligations on the organisations that handle that data to process it lawfully, transparently, and securely. Because it is a regulation rather than a directive, it applies directly in every member state without needing national implementing laws.
"The protection of natural persons in relation to the processing of personal data is a fundamental right."
Data subject
The living individual whose personal data is being processed. GDPR exists to protect them.
Data controller
The organisation that decides why and how personal data is processed. Carries primary accountability.
Data processor
A party that processes data on the controller's behalf and instructions, such as a SaaS vendor.
02 · Scope
Who GDPR applies to
GDPR's reach is famously broad. It is not limited to European companies, and that surprises a lot of organisations the first time they read Article 3.
GDPR applies to the processing of personal data of individuals who are in the EU and EEA. Critically, it applies regardless of where the organisation doing the processing is based. This is the regulation's extraterritorial scope.
A company headquartered in the United States, with no office or staff in Europe, still falls under GDPR if it does either of two things: offers goods or services to people in the EU (even free ones), or monitors the behaviour of people in the EU (for example through web analytics, cookies, or ad tracking). That is why GDPR became a global standard rather than a regional one.
It binds two roles. Controllers decide the purposes and means of processing and carry primary accountability. Processorsact on a controller's instructions and have their own direct obligations. Both must be able to demonstrate compliance, which is where the accountability principle bites.
03 · The principles
The seven principles of GDPR
Article 5 sets out seven principles that underpin every obligation in the regulation. Get these right and most of the detailed rules follow; get them wrong and you are exposed to the upper tier of fines.
02
Purpose limitation
Collect data for specified, explicit, legitimate purposes and do not later use it in ways incompatible with those purposes.
03
Data minimisation
Collect only what is adequate, relevant, and limited to what is necessary for the purpose. No just-in-case hoarding.
04
Accuracy
Keep personal data accurate and up to date, and erase or correct inaccurate data without delay.
05
Storage limitation
Keep data in identifiable form no longer than necessary for the purpose. Define and enforce retention periods.
06
Integrity and confidentiality
Protect data with appropriate security against unauthorised processing, loss, or damage, using technical and organisational measures.
07
Accountability
Be able to demonstrate compliance with all of the above. This is the principle that turns GDPR into a documentation discipline.
04 · Lawful basis
The six lawful bases for processing
You cannot process personal data just because it is useful. Article 6 requires at least one of six lawful bases for every processing purpose, and you should identify and document it before you start, not after.
Consent
The individual has given clear, freely given, specific, informed, and unambiguous agreement to the processing. Must be as easy to withdraw as to give.
Contract
Processing is necessary to perform a contract with the individual, or to take steps at their request before entering one.
Legal obligation
Processing is necessary to comply with a legal obligation the controller is subject to (excluding contractual obligations).
Vital interests
Processing is necessary to protect someone's life, typically in medical emergencies where consent cannot be obtained.
Public task
Processing is necessary to perform a task in the public interest or in the exercise of official authority.
Legitimate interests
Processing is necessary for the legitimate interests of the controller or a third party, balanced against the individual's rights and freedoms.
Consent gets the most attention, but it is often the weakest choice for routine business processing because it can be withdrawn at any time. Many organisations rely on contract or legitimate interests for core operations and reserve consent for things like marketing. Special category data (health, biometrics, and similar) needs an additional condition under Article 9 on top of the Article 6 basis.
05 · Individual rights
The eight data subject rights
GDPR gives individuals eight rights over their personal data. You generally have one month to respond to a request, and you need a repeatable workflow, not a scramble, to meet that deadline.
The right To be informed
People must be told, in clear privacy notices, what data you collect, why, the lawful basis, how long you keep it, and who you share it with.
The right Of access
Individuals can request a copy of their personal data and supplementary information, usually within one month and free of charge.
The right To rectification
Individuals can have inaccurate personal data corrected and incomplete data completed.
The right To erasure
The "right to be forgotten." Individuals can ask for deletion in defined circumstances, such as when data is no longer needed or consent is withdrawn.
The right To restrict processing
Individuals can ask you to limit how you use their data, for example while a dispute over accuracy is resolved.
The right To data portability
Individuals can obtain and reuse their data across services, receiving it in a structured, commonly used, machine-readable format.
The right To object
Individuals can object to processing based on legitimate interests or public task, and to direct marketing at any time.
The right Re automated decisions
Individuals have rights around solely automated decision-making and profiling that produces legal or similarly significant effects.
06 · Key obligations
Breach notification, DPOs, and DPIAs
Beyond the principles and rights, three operational obligations come up in almost every GDPR programme.
72-hour breach notification
Notify your supervisory authority without undue delay and within 72 hours of becoming aware of a personal data breach, unless it is unlikely to risk individuals. Tell affected individuals too where the risk is high.
Data Protection Officer
Required for public authorities and organisations whose core activities involve large-scale monitoring or large-scale special category processing. The DPO advises, monitors, and is the contact for the regulator.
Data Protection Impact Assessment
Required before high-risk processing. A DPIA documents the risk to individuals and the measures to reduce it. Learn more in our privacy impact assessment guide.
07 · Enforcement
Fines and enforcement
GDPR is enforced by national supervisory authorities (data protection authorities), coordinated by the European Data Protection Board. Article 83 sets two tiers of administrative fines, and they are calculated on global, not local, turnover.
Lower tier
€10M or 2%
Whichever is higher, of total worldwide annual turnover. Applies to obligations like records of processing, security of processing, and breach notification.
Upper tier
€20M or 4%
Whichever is higher, of total worldwide annual turnover. Applies to breaches of the core principles, lawful basis, and data subject rights.
Fines are not the only consequence. Supervisory authorities can also order you to stop processing, and individuals can claim compensation for damage. In practice, the largest GDPR fines to date have run into the hundreds of millions of euros, and most enforcement actions hinge on whether the organisation could demonstrate accountability: records, assessments, and a documented basis for what it did.
08 · Implementation
How to comply with GDPR
Seven steps that move an organisation from exposed to defensible. The throughline is accountability: every step produces an artifact you can show a regulator.
- 1
Map your data and processing
Build a record of processing activities (Article 30): what personal data you hold, where it came from, why you process it, who you share it with, and where it flows. You cannot govern data you have not mapped.
- 2
Establish a lawful basis for each activity
Assign one of the six lawful bases to every processing purpose and document the reasoning. For consent-based processing, fix your consent capture and withdrawal mechanisms.
- 3
Update notices and consent
Rewrite privacy notices to be clear and complete, and make consent granular, opt-in, and as easy to withdraw as to give. Remove pre-ticked boxes and bundled consent.
- 4
Operationalise data subject rights
Stand up a workflow to handle access, erasure, rectification, and the other rights inside the one-month deadline, with identity verification and an audit trail.
- 5
Run DPIAs for high-risk processing
Where processing is likely to result in high risk to individuals, complete a Data Protection Impact Assessment before you start, and consult your supervisory authority if residual risk stays high.
- 6
Lock down security and breach response
Implement appropriate technical and organisational measures, and build a breach process that can notify your supervisory authority within 72 hours and affected individuals where the risk is high.
- 7
Govern processors and transfers
Put Article 28 data processing agreements in place with every processor, and use a valid transfer mechanism (such as Standard Contractual Clauses or an adequacy decision) for data leaving the EEA.
Make accountability provable
Run GDPR on a platform that produces the evidence.
RiskWatch ships a pre-built GDPR assessment mapped to a shared control library, runs DPIAs, tracks remediation to closure, and keeps a timestamped record, the accountability artifact every supervisory authority asks for first.
09 · Frequently asked
GDPR, answered
The questions people search most when they first encounter the regulation.
What does GDPR stand for?
GDPR stands for the General Data Protection Regulation. It is an EU law, formally Regulation (EU) 2016/679, that governs how organisations collect, use, and protect the personal data of individuals in the European Union and European Economic Area. It was adopted in 2016 and became enforceable on 25 May 2018, replacing the 1995 Data Protection Directive.
What is GDPR in simple terms?
GDPR is the EU's data privacy law. It gives individuals control over their personal data and sets rules that any organisation handling that data must follow: have a lawful reason to process it, only collect what you need, keep it secure, be transparent about what you do with it, and honour people's rights to see, correct, and delete it. Organisations that break the rules can be fined heavily.
Who does GDPR apply to?
GDPR applies to any organisation that processes the personal data of individuals in the EU/EEA, regardless of where the organisation itself is located. A US company with no EU office still falls under GDPR if it offers goods or services to people in the EU or monitors their behaviour (for example through analytics or ad tracking). This extraterritorial reach is set out in Article 3.
What counts as personal data under GDPR?
Personal data is any information relating to an identified or identifiable living individual: names, email addresses, location data, IP addresses, online identifiers, and more. A subset called special category data (health, race, religion, biometrics, sexual orientation, political opinions, and similar) gets extra protection and generally needs a stronger condition than ordinary personal data to process.
What are the seven GDPR principles?
Article 5 sets out seven principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. The seventh, accountability, requires you to be able to demonstrate compliance with the other six, which is what makes GDPR a documentation and evidence discipline rather than a one-time project.
What are the GDPR fines?
GDPR has two tiers of administrative fines under Article 83. The lower tier is up to €10 million or 2% of total worldwide annual turnover, whichever is higher, for issues like inadequate records or security. The upper tier is up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for serious breaches such as violating the core principles, lawful basis, or data subject rights.
What is the difference between a data controller and a data processor?
A data controller decides why and how personal data is processed; a data processor processes data on the controller's behalf and under its instructions. A SaaS customer is usually the controller and the SaaS vendor the processor. Controllers carry primary accountability, but processors have direct obligations too and the two must sign an Article 28 data processing agreement.
What is a DPIA?
A Data Protection Impact Assessment (DPIA) is a structured process to identify and minimise the data protection risks of a processing activity. GDPR Article 35 requires a DPIA before processing that is likely to result in a high risk to individuals, such as large-scale profiling, monitoring public areas, or processing special category data at scale. It is the GDPR equivalent of a privacy impact assessment.
Do I need a Data Protection Officer (DPO)?
You must appoint a DPO if you are a public authority, or if your core activities involve large-scale regular and systematic monitoring of individuals, or large-scale processing of special category data. Many other organisations appoint one voluntarily. The DPO advises on compliance, monitors it, and acts as the contact point for the supervisory authority and data subjects.
How long do you have to report a GDPR breach?
A controller must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in a high risk to individuals, the controller must also notify the affected individuals without undue delay.
From the regulation to a defensible programme
Turn GDPR accountability into provable evidence.
A pre-built GDPR assessment, DPIA support, cross-mapped controls, and a timestamped audit trail. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime