In This Guide
- GDPR is the EU's comprehensive data protection law, in effect since May 25, 2018, with extraterritorial reach to any organization processing EU residents' data.
- Fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. Cumulative fines exceed EUR 4.8 billion since 2018.
- Organizations must establish one of six lawful bases before processing personal data, with consent being just one option.
- Eight data subject rights must be operationalized, including access, erasure, portability, and the right to object.
- An independent GDPR assessment provides formal assurance of compliance beyond self-attestation.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that came into effect on May 25, 2018. It replaced the 1995 Data Protection Directive and represents the most significant change to EU data protection law in over two decades.
GDPR aims to:
- Give individuals control over their personal data
- Simplify the regulatory environment for international business
- Harmonize data protection laws across EU member states
- Strengthen and unify data protection for individuals within the EU
GDPR applies globally to any organization that processes personal data of EU residents, regardless of where the organization is located. This extraterritorial scope is one of GDPR's most significant features.
GDPR by the Numbers
| Metric | Detail |
|---|---|
| Effective Date | May 25, 2018 |
| Applies To | Any organization processing EU residents' personal data |
| Maximum Fine (Upper Tier) | EUR 20 million or 4% of global annual turnover |
| Maximum Fine (Lower Tier) | EUR 10 million or 2% of global annual turnover |
| Cumulative Fines Since 2018 | Over EUR 4.8 billion |
| Data Subject Rights | 8 individual rights |
| Breach Notification Window | 72 hours to supervisory authority |
Who Does GDPR Apply To?
Organizations Established in the EU
Any organization with an establishment in the EU that processes personal data, regardless of whether the processing takes place in the EU.
Organizations Outside the EU (Article 3)
Organizations not established in the EU that process personal data of EU residents when:
- Offering goods or services: Free or paid, to EU data subjects
- Monitoring behavior: Tracking behavior that takes place within the EU
Who is NOT Covered
- Purely personal or household activities
- Law enforcement and national security (separate frameworks apply)
- Organizations with no EU presence and no EU customers
Key Terms Explained
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Data Subject | An identified or identifiable natural person whose data is processed |
| Processing | Any operation performed on personal data (collection, storage, use, deletion) |
| Controller | Entity that determines the purposes and means of processing |
| Processor | Entity that processes personal data on behalf of the controller |
| Special Categories | Sensitive data: race, health, biometrics, religion, political opinions |
The Seven GDPR Principles
Article 5 establishes the core principles for processing personal data:
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner.
2. Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes.
3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary.
4. Accuracy
Personal data must be accurate and kept up to date.
5. Storage Limitation
Data must be kept no longer than necessary for the processing purposes.
6. Integrity and Confidentiality
Personal data must be processed securely with appropriate protection.
7. Accountability
The controller must demonstrate compliance with all principles.
Data Subject Rights
- Right to be informed: Know how data is being used
- Right of access: Obtain a copy of personal data
- Right to rectification: Have inaccurate data corrected
- Right to erasure: Have data deleted ("right to be forgotten")
- Right to restrict processing: Limit how data is used
- Right to data portability: Receive data in machine-readable format
- Right to object: Object to processing, including direct marketing
- Rights related to automated decisions: Not be subject to purely automated decisions
Key Organizational Obligations
Documentation
- Records of Processing Activities (RoPA)
- Privacy notices and policies
- Data Processing Agreements
- Data Protection Impact Assessments (DPIAs)
Security
- Appropriate technical and organizational measures
- Data protection by design and by default
- Regular testing of security measures
Breach Notification
- Notify authority within 72 hours
- Notify individuals if high risk
- Document all breaches
The Six Lawful Bases for Processing
Before processing personal data, organizations must identify and document at least one lawful basis under Article 6:
| Lawful Basis | When It Applies | Common Use Cases |
|---|---|---|
| Consent | Data subject has given clear, specific, informed consent | Marketing emails, cookie tracking, newsletter subscriptions |
| Contract | Processing is necessary to fulfill a contract | Delivering purchased goods, payroll processing, service delivery |
| Legal Obligation | Processing is required by law | Tax reporting, employment law compliance, anti-money laundering |
| Vital Interests | Processing is necessary to protect someone's life | Medical emergencies, disaster response |
| Public Task | Processing is necessary for official authority or public interest | Government functions, public health, archiving |
| Legitimate Interests | Processing is necessary for a legitimate interest, balanced against data subject rights | Fraud prevention, network security, direct marketing to existing customers |
Many organizations default to consent as their lawful basis. However, consent can be withdrawn at any time, making it the most fragile basis. Organizations should evaluate all six bases and select the most appropriate one for each processing activity.
Practical GDPR Compliance Steps
For organizations seeking to achieve and demonstrate GDPR compliance, the following steps provide a structured approach:
Step 1: Data Mapping and Inventory
Identify all personal data you process: what data, whose data, why you process it, where it is stored, who has access, and how long you retain it. This forms the basis of your Records of Processing Activities (RoPA).
Step 2: Legal Basis Assessment
For each processing activity, document the lawful basis. Where consent is relied upon, ensure it meets the GDPR standard: freely given, specific, informed, and unambiguous.
Step 3: Rights Fulfillment Processes
Establish operational processes to handle data subject rights requests (DSARs) within the required timeframe of one month, extendable by two months for complex requests.
Step 4: Privacy Notices and Transparency
Update privacy notices to include all information required by Articles 13 and 14: identity of controller, purposes, legal basis, retention periods, rights, and transfer details.
Step 5: Security Measures
Implement appropriate technical and organizational measures. Consider encryption, pseudonymization, access controls, regular testing, and staff training.
Step 6: Third-Party Management
Review all data processor relationships. Ensure Data Processing Agreements (DPAs) meeting Article 28 requirements are in place with every processor.
Step 7: Breach Response Preparedness
Establish a breach detection, investigation, and notification procedure. The 72-hour notification window to the supervisory authority starts from when you become aware of the breach.
Step 8: Independent Assessment
Engage an independent assessment body to evaluate your GDPR compliance posture. An independent GDPR assessment provides formal assurance beyond self-attestation, which is increasingly expected by customers, partners, and regulators.
Glocert International conducts independent GDPR compliance assessments, providing organizations with a formal attestation of compliance. Our assessment covers data mapping, lawful bases, rights fulfillment, security measures, breach preparedness, and international transfer mechanisms. Learn more about our GDPR assessment service.
Penalties
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Lower | EUR 10M or 2% global turnover | Technical/organizational obligations |
| Upper | EUR 20M or 4% global turnover | Processing principles, rights, transfers |
Frequently Asked Questions
Does GDPR apply outside the EU?
Yes. GDPR has extraterritorial scope under Article 3. Any organization anywhere in the world that offers goods or services to EU residents, or monitors their behavior within the EU, must comply with GDPR regardless of where the organization is established.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data (i.e., decides why and how data is processed). A data processor processes personal data on behalf of the controller (e.g., a cloud provider hosting customer data). Both have obligations under GDPR, but the controller bears primary accountability.
Do I need a Data Protection Officer (DPO)?
A DPO is mandatory if you are a public authority, if your core activities involve regular and systematic monitoring of individuals on a large scale, or if you process special categories of data on a large scale. Many organizations appoint one voluntarily as best practice.
What is the GDPR breach notification requirement?
Organizations must notify their supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. If the breach poses a high risk, affected individuals must also be notified without undue delay.
Can GDPR fines really reach EUR 20 million?
Yes. Upper-tier fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. Meta (Facebook) received a EUR 1.2 billion fine in 2023 for unlawful data transfers. Amazon received a EUR 746 million fine in 2021. Even smaller organizations face significant fines relative to their size.
Is there a GDPR certification?
GDPR itself does not have a formal certification scheme like ISO standards. However, Article 42 provides for approved certification mechanisms. Independent GDPR compliance assessments, such as those conducted by Glocert International, provide formal attestation of compliance that organizations can use to demonstrate accountability to regulators, customers, and partners.