← All topics / GDPR
🔐 Data Privacy

GDPR & Data Protection ✦ Free Overview

The General Data Protection Regulation is the world's most influential privacy law. It applies to every organisation that handles the personal data of EU residents — and enforcement is accelerating across all member states.

Regulation (EU) 2016/679
In force since May 2018
Extra-territorial scope
Assess your GDPR compliance 24 questions across 6 GDPR areas. Free instant gap analysis with top priorities.
GDPR Quick Check → Full Assessment
What is it?

The General Data Protection Regulation

The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, came into force on 25 May 2018 and remains the most influential data privacy law in the world. It establishes a comprehensive framework for how organisations must collect, store, process, and transfer the personal data of individuals in the European Union and European Economic Area.

What makes GDPR unusual — and powerful — is its extra-territorial scope. It applies not only to organisations established in the EU, but to any organisation anywhere in the world that offers goods or services to EU residents, or that monitors the behaviour of individuals in the EU. A US-based SaaS company with European customers is subject to GDPR. A Brazilian e-commerce platform shipping to Germany is subject to GDPR. The regulation follows the data subject, not the controller's address.

GDPR is built on a set of principles that govern all personal data processing, a catalogue of individual rights that organisations must be able to fulfil, and a series of specific obligations covering transparency, security, accountability, and cross-border data transfers. Non-compliance can result in fines of up to €20 million or 4% of global annual turnover — whichever is higher — enforced by national data protection authorities across all 27 EU member states.

Since 2018, national DPAs have issued well over €4 billion in fines. Enforcement has intensified year on year, with recurring violation types including unlawful cookie consent, insufficient legal basis for marketing, inadequate data processor agreements, and failures to honour data subject rights requests within the statutory 30-day window.

Who does it apply to?

Scope: controllers, processors, and data subjects

GDPR applies to any organisation that processes personal data of natural persons who are in the EU or EEA, regardless of where the organisation itself is located. There is no company size threshold — a sole trader running an email list of EU subscribers is subject to GDPR.

GDPR distinguishes between two main roles:

  • Data Controllers determine the purposes and means of processing personal data. The controller bears primary accountability under GDPR — they decide why and how data is processed.
  • Data Processors process data on behalf of a controller (e.g. cloud providers, payroll processors, email marketing platforms). Processors must have a Data Processing Agreement (DPA) in place and are subject to specific GDPR obligations.

Personal data is defined broadly: any information that can directly or indirectly identify a living natural person. This includes names, email addresses, IP addresses, cookie identifiers, location data, biometric data, health records, and much more.

The seven principles

Article 5: The foundation of GDPR

Article 5 of GDPR sets out seven principles that govern all personal data processing. Every processing activity must comply with all seven:

Lawfulness, Fairness & Transparency

Processing must have a valid legal basis (Art. 6), be fair to the data subject, and be transparent — individuals must know what data is collected and why.

Purpose Limitation

Data collected for one stated purpose cannot be repurposed for a different, incompatible use. Secondary use requires either consent or a compatible purpose assessment.

Data Minimisation

Only collect and process the personal data that is strictly necessary for the specified purpose. Collecting data "just in case" is not compliant.

Accuracy

Personal data must be kept accurate and, where necessary, up to date. Organisations must take reasonable steps to erase or rectify inaccurate data without delay.

Storage Limitation

Personal data must not be kept longer than necessary for its purpose. Organisations need documented retention schedules and deletion processes.

Integrity & Confidentiality

Appropriate technical and organisational security measures must be in place to protect data against unauthorised access, loss, destruction, or accidental damage.

The seventh principle — Accountability — runs across all others. Controllers must not merely comply with these principles but must be able to demonstrate compliance at any time, through documented policies, records, assessments, and governance structures.

Individual rights

Eight rights you must be able to fulfil

GDPR grants individuals (data subjects) eight rights which organisations must be able to respond to, generally within 30 calendar days of receipt. Failure to respond, or responding inadequately, is itself a GDPR violation.

1
Right of Access (Art. 15)

Individuals can request a copy of all personal data held about them and information about how it is processed.

2
Right to Rectification (Art. 16)

Individuals can require correction of inaccurate personal data and completion of incomplete data.

3
Right to Erasure (Art. 17)

The "right to be forgotten" — individuals can request deletion of their data in certain circumstances, including withdrawal of consent.

4
Right to Data Portability (Art. 20)

Individuals can request their data in a structured, machine-readable format to transfer to another service provider.

5
Right to Restriction (Art. 18)

Processing can be restricted (but not deleted) while accuracy is contested or a legitimate interest assessment is pending.

6
Right to Object (Art. 21)

Individuals can object to processing based on legitimate interests or for direct marketing purposes — the latter is an absolute right.

7
Right Not to Be Profiled (Art. 22)

Individuals have the right not to be subject to solely automated decisions that produce significant effects on them, unless specific conditions are met.

8
Right to Withdraw Consent (Art. 7)

Where consent is the legal basis for processing, it must be as easy to withdraw as to give. Withdrawal must take immediate effect.

Penalties

Tiered fines and enforcement

GDPR establishes a two-tier penalty regime. Fines are determined based on the nature, gravity, and duration of the infringement, the number of data subjects affected, the degree of cooperation with the supervisory authority, and whether the organisation took steps to mitigate the damage.

Tier Maximum Fine Applicable violations
Tier 1 €10 million or 2% of global annual turnover (whichever is higher) Violations of controller/processor obligations (Art. 8, 11, 25–39, 42–43), including data security requirements, breach notification, and DPA agreements
Tier 2 €20 million or 4% of global annual turnover (whichever is higher) Most serious violations: breaches of the basic principles (Art. 5–7, 9), data subject rights (Art. 12–22), international transfers (Art. 44–49), and non-compliance with supervisory authority orders

Beyond fines, national DPAs can issue reprimands, temporary or permanent bans on processing, and orders to comply. Data subjects can also bring civil claims for non-material damage (distress, anxiety) in addition to material damage. Class action-style representative complaints are increasingly common.

Core obligations

What every organisation must do

  • Establish a legal basis for every processing activity — document the specific Art. 6 ground (consent, contract, legal obligation, vital interests, public task, or legitimate interests) for each type of processing.
  • Maintain Records of Processing Activities (RoPA) — Art. 30 requires controllers with 250+ employees (and smaller organisations in high-risk contexts) to maintain a documented inventory of all processing activities.
  • Publish clear privacy notices — individuals must be informed at the point of data collection about the identity of the controller, purposes, legal basis, retention periods, their rights, and cross-border transfers.
  • Report personal data breaches within 72 hours — Art. 33 requires notification to the competent DPA within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms.
  • Implement appropriate technical and organisational security measures — based on a risk assessment, including encryption, access controls, pseudonymisation, and regular security testing.
◈ Premium Deep-Dive

Key articles explained, sector implications & full compliance checklist

Move from understanding GDPR to implementing it.

Key Articles Explained

Art. 6

Legal Basis for Processing

Six lawful grounds: consent (must be freely given, specific, informed, unambiguous); contract (processing necessary to perform a contract with the data subject); legal obligation; vital interests; public task; legitimate interests (requires a balancing test — the controller's interests must not override the individual's rights and freedoms).

Art. 7

Conditions for Consent

Consent must be demonstrated, freely given, specific to a purpose, informed (clear language), and unambiguous. Pre-ticked boxes are not valid. Consent to different processing activities must be obtained separately. Records of when and how consent was obtained must be kept.

Art. 13–14

Transparency Obligations

Art. 13 applies when data is collected directly from the data subject; Art. 14 when obtained from third parties. Both require the same core information: controller identity, DPO contact details, purposes and legal basis, recipients, retention periods, rights information, and right to withdraw consent or lodge a complaint.

Art. 17

Right to Erasure

Individuals can request erasure when data is no longer necessary; consent is withdrawn with no other legal basis; they object and there are no overriding legitimate grounds; data was unlawfully processed; or erasure is required by EU or member state law. Important exceptions apply for freedom of expression, legal claims, and public health.

Art. 28

Data Processing Agreements

Every relationship where a third party processes personal data on your behalf requires a written DPA. The DPA must cover: subject matter and duration, nature and purpose of processing, type of data, categories of data subjects, and the processor's obligations — including restrictions on sub-processing and assistance with data subject rights.

Art. 30

Records of Processing Activities (RoPA)

Mandatory for most organisations. The RoPA must document: controller name and contact, purposes of processing, categories of data subjects and personal data, recipients, international transfers, retention periods, and security measures. Must be maintained in writing and available to the supervisory authority on request.

Art. 32

Security of Processing

Controllers and processors must implement "appropriate" technical and organisational measures, considering the state of the art, costs, nature, scope, context, and risk. Examples given by the Regulation include pseudonymisation, encryption, resilience, backup, and regular testing. "Appropriate" means proportionate to the risk — not necessarily the highest possible standard.

Art. 33–34

Personal Data Breach Notification

Art. 33: notify your lead DPA within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms — unless the breach is "unlikely to result in a risk". Art. 34: notify affected individuals "without undue delay" if the breach is likely to result in high risk. Document all breaches regardless of whether notification is required.

Art. 35

Data Protection Impact Assessment (DPIA)

Mandatory before processing that is "likely to result in a high risk" — including large-scale processing of sensitive data, systematic profiling, large-scale public monitoring, and any processing type on the DPA's required list. The DPIA must assess the necessity, proportionality, and risks of the processing, and set out mitigation measures.

Sector Implications

Technology & SaaS

Tech companies are typically both controllers (for their own employee and customer data) and processors (for their customers' end-user data). The dual role requires careful legal structuring: service agreements must contain Art. 28 DPAs, sub-processors must be disclosed, and technical architecture must support data deletion and portability. Cookie consent — enforced under the ePrivacy Directive in conjunction with GDPR — is a near-universal compliance challenge.

Healthcare

Health data is "special category" data under Art. 9, requiring an additional legal basis beyond the Art. 6 grounds. Processing health data requires explicit consent or reliance on Art. 9(2)(h) (healthcare provision). DPIAs are typically mandatory. Breach notification timelines are strictly enforced given the sensitivity of health information.

Financial Services

Banks and fintechs process personal data at scale across multiple purposes: credit assessment, fraud prevention, regulatory compliance, and customer communication. Each purpose requires its own legal basis. Automated credit decisions trigger Art. 22 (no solely automated decisions with significant effects) unless specific conditions are met. Tension between GDPR data minimisation and AML record-keeping obligations requires careful management.

Retail & E-commerce

Cookie consent banners, email marketing consent, loyalty programme data retention, and cross-border payment data flows are the primary GDPR touchpoints for retail. The "legitimate interests" basis for personalised marketing has been significantly narrowed by DPA guidance and CJEU case law — explicit consent is often the only defensible basis.

Full Compliance Checklist

1
Map all personal data flows across your organisation — what data is collected, where it's stored, who can access it, and where it goes (data mapping / Records of Processing Activities)
2
Identify and document the legal basis (Art. 6 ground) for each processing activity — create or update your RoPA (Art. 30)
3
Review and update all privacy notices to ensure they meet Arts. 13–14 requirements (purposes, retention, rights, transfers)
4
Audit your cookie consent implementation — confirm it meets the freely given, specific, informed, unambiguous standard and that analytics/marketing cookies are not loaded before consent
5
Execute written Data Processing Agreements with all third-party processors (cloud storage, payroll, email marketing, CRM, etc.)
6
Build a data subject rights fulfilment process — verify you can respond to access, deletion, rectification, and portability requests within 30 days
7
Implement a personal data breach response procedure — detection, assessment, internal escalation, DPA notification (72 hours), and individual notification where required
8
Assess whether you need to appoint a Data Protection Officer (DPO) — mandatory for public authorities, organisations engaging in large-scale systematic monitoring, or large-scale special category data processing
9
Review all international data transfers — confirm adequacy decisions, SCCs, BCRs, or other transfer mechanisms are in place for any transfers outside the EEA
10
Conduct Data Protection Impact Assessments (DPIAs) for any high-risk processing activities (large-scale profiling, special category data, systematic public monitoring)
11
Implement technical security measures proportionate to the risk: encryption at rest and in transit, access controls, pseudonymisation where appropriate, and regular penetration testing
12
Train all staff who handle personal data on GDPR obligations, your internal policies, and how to recognise and escalate a potential data breach

How to Use the Verdaio GDPR Tools

Verdaio offers two complementary tools for GDPR compliance. The GDPR Quick Check covers 24 questions across six compliance areas (lawful basis, rights, data security, breach response, processors, and records) and delivers an instant gap analysis showing which areas are at risk and which GDPR articles are implicated — free, no signup required.

The Full GDPR Assessment + RoPA is a premium deep-dive that goes beyond the quick check to produce a draft Record of Processing Activities (Article 30), a fine exposure analysis based on your specific gaps, and a prioritised remediation roadmap. It is designed to give compliance teams and DPOs a structured starting point for their GDPR programme.

GDPR Quick Check (free) →  |  Full GDPR Assessment + RoPA →

Unlock the full GDPR guide

Get the article-by-article breakdown, sector implications, and a 12-point compliance checklist — plus access to the Full GDPR Assessment tool.

Unlock full guide — €990/year

Full access to all 6 learning guides + all premium tools