The GDPR has been in force since 2018, but enforcement is intensifying and interpretations keep shifting. Every company that handles EU personal data must comply — and the cost of getting it wrong keeps rising.
GDPR stands for General Data Protection Regulation. Adopted in 2016 and in force since May 2018, it is the EU's legal framework governing how organisations collect, store, use, and protect personal data of EU residents. It applies to any organisation worldwide that processes EU personal data — regardless of where that organisation is based.
Since its introduction, GDPR has fundamentally changed how businesses must think about data. It is not a checkbox exercise — it requires ongoing processes, documented accountability, and a culture of data protection embedded across the organisation.
Data must be processed on a valid legal basis and individuals must be informed about how their data is used.
Data collected for a specific purpose cannot be repurposed without clear justification and, in many cases, fresh consent.
Only collect and process what is strictly necessary for the stated purpose. Excess data creates excess liability.
Personal data must be kept accurate and up to date. Reasonable steps must be taken to correct or erase inaccurate data.
Data should not be kept longer than necessary for its purpose. Retention policies must be documented and enforced.
Appropriate security measures must protect data from unauthorised access, loss, destruction, or damage.
Organisations must be able to demonstrate compliance with all the above principles — not just claim it. Documentation, policies, and records are essential evidence.
Individuals must be told how and why their data is collected and used, in clear and accessible language.
Individuals can request a copy of all personal data an organisation holds about them, free of charge.
Individuals can have inaccurate or incomplete personal data corrected without undue delay.
Also known as the 'right to be forgotten' — individuals can request deletion of their data in certain circumstances.
Individuals can request that processing of their data be limited while a dispute or query is resolved.
Individuals can request their data in a structured, machine-readable format to transfer to another provider.
Individuals can object to processing based on legitimate interests, direct marketing, or research purposes.
Individuals have the right not to be subject to solely automated decisions that have significant effects on them.
Document all data processing activities within your organisation — who is responsible, what data is processed, for what purpose, and where it flows.
Establish and document the legal basis for every processing activity. Processing without a valid lawful basis is unlawful under GDPR.
Provide clear, accessible privacy information to data subjects at the point of collection. Notices must be concise, transparent, and written in plain language.
Embed privacy into systems, products, and processes from the outset — not as an afterthought. Privacy must be the default setting.
Conduct DPIAs before undertaking high-risk processing activities. Required by law when processing is likely to result in a high risk to individuals.
Notify the supervisory authority within 72 hours of becoming aware of a personal data breach. If high risk to individuals, notify them directly without undue delay.
Non-compliance also risks reputational damage and erosion of customer trust that can outlast any fine, operational disruption from enforcement investigations, and potential civil claims from affected individuals. The full cost of a data breach or enforcement action is almost always greater than the fine itself.
Start with the free GDPR Quick Check to benchmark your compliance in 5 minutes. Then go deeper with the Full GDPR Assessment — including a draft Record of Processing Activities and fine exposure analysis.