The General Data Protection Regulation (GDPR) remains the most comprehensive and influential data protection framework in the world. Since its enforcement on 25 May 2018, supervisory authorities across the EU have issued fines totalling over EUR 4.5 billion, with penalties reaching as high as EUR 1.2 billion in a single case. Whether you are building a compliance programme from scratch or auditing existing practices, this guide covers every aspect of GDPR you need to understand and implement.
Key Takeaways
GDPR applies to any organisation worldwide that processes personal data of individuals in the EU/EEA.
Fines reach up to EUR 20 million or 4% of global annual turnover — whichever is higher.
There are seven core principles and six lawful bases for processing personal data.
Data breaches must be reported to the supervisory authority within 72 hours.
A Data Protection Officer (DPO) is mandatory for public bodies, large-scale monitoring, and special category data processing.
GDPR works alongside NIS2, DORA, and the AI Act — compliance with one supports the others.
Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), is a comprehensive data protection law that governs how organisations collect, process, store, and share personal data of individuals in the European Union and European Economic Area. It was adopted on 14 April 2016 and became enforceable on , replacing the 1995 Data Protection Directive (95/46/EC).
Share article
Need help with compliance?
Contact us for a free consultation
25 May 2018
Unlike a directive, GDPR is a regulation — it applies directly across all EU member states without requiring national transposition for its core provisions. This ensures a harmonised standard of data protection across Europe.
Why does GDPR matter globally? Over 150 countries have enacted data protection legislation influenced by GDPR. It has become the de facto global standard. Compliance with GDPR often satisfies a significant portion of requirements in other jurisdictions (Brazil's LGPD, California's CCPA/CPRA, South Korea's PIPA, etc.).
Who Must Comply?
GDPR has an intentionally broad scope. It applies to two categories of organisations:
Controllers and Processors
Role
Definition
Examples
Controller
Determines the purposes and means of processing personal data
Both controllers and processors have direct obligations under GDPR, though controllers bear primary responsibility for compliance.
Territorial Scope (Article 3)
GDPR applies when any of the following conditions is met:
Establishment in the EU — The organisation has any establishment (office, branch, subsidiary) in the EU, regardless of where processing takes place.
Offering goods or services — The organisation offers goods or services to individuals in the EU, even if free of charge. Indicators include: using EU languages, accepting EUR, referencing EU customers.
Monitoring behaviour — The organisation monitors the behaviour of individuals in the EU (e.g., website tracking, profiling, location monitoring).
Practical example: A US-based SaaS company with no EU office but EU customers who pay in EUR and whose behaviour is tracked via analytics is fully subject to GDPR. It must appoint an EU representative under Article 27.
The Seven GDPR Principles
Article 5 establishes seven principles that underpin all GDPR requirements. Every processing activity must comply with all seven simultaneously.
1. Lawfulness, Fairness, and Transparency
Lawful — processed only with a valid legal basis (Article 6)
Fair — processed in ways individuals would reasonably expect
Transparent — individuals must be clearly informed about how their data is used
2. Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes
Must not be further processed in ways incompatible with those purposes
Exception: archiving in the public interest, scientific research, or statistical purposes
3. Data Minimisation
Only collect data that is adequate, relevant, and limited to what is necessary
Never collect data "just in case" — every data element must serve the stated purpose
4. Accuracy
Personal data must be accurate and kept up to date
Inaccurate data must be corrected or erased without delay
5. Storage Limitation
Data must be kept in identifiable form only as long as necessary for the stated purpose
Establish and document retention periods for every data category
Delete or anonymise data when the retention period expires
6. Integrity and Confidentiality (Security)
Implement appropriate technical and organisational measures to protect data
Protect against unauthorised or unlawful processing, accidental loss, destruction, or damage
Security must be proportionate to the risk involved
7. Accountability
The controller must demonstrate compliance with all six principles above
Requires documentation, policies, procedures, training records, and ongoing monitoring
This is not just about being compliant — it is about being able to prove it
All of the above, plus training records and audit logs
Six Lawful Bases for Processing
Article 6 requires at least one lawful basis for every processing activity. Choosing the correct basis is critical — it affects which rights data subjects have and what obligations apply.
Must be freely given, specific, informed, unambiguous; easy to withdraw
Contract
Necessary to fulfil a contract with the individual
Processing must be strictly necessary, not merely useful
Legal obligation
Required by EU or member state law
Must identify the specific legal provision
Vital interests
To protect someone's life
Only when no other basis is available; emergency use
Public task
Public authority functions
Must have basis in law
Legitimate interests
Business purposes that do not override individual rights
Requires three-part balancing test (LIA)
Consent in Practice
Valid consent under GDPR requires all five elements:
Freely given — genuine choice with no detriment for refusing
Specific — separate consent for each distinct purpose
Informed — clear explanation of what is being consented to
Unambiguous — requires clear affirmative action (no pre-ticked boxes)
Withdrawable — must be as easy to withdraw as it was to give
Common mistake: Many organisations default to consent when another basis (such as legitimate interests or contract) would be more appropriate. This creates unnecessary administrative burden and the risk of losing the legal basis if consent is withdrawn.
Legitimate Interests Assessment (LIA)
Legitimate interests is the most flexible basis but requires a documented three-part test:
Purpose test — Is there a genuine legitimate interest? (e.g., fraud prevention, network security, direct marketing)
Necessity test — Is the processing necessary for that interest? Could the purpose be achieved less intrusively?
Balancing test — Do the individual's interests, rights, or freedoms override the legitimate interest?
Special Categories of Personal Data
Article 9 provides extra protections for sensitive data. Processing is prohibited by default unless a specific Article 9(2) condition applies in addition to an Article 6 lawful basis.
The Nine Special Categories
Category
Examples
Racial or ethnic origin
Ethnicity fields, photos revealing race
Political opinions
Party membership, voting records
Religious or philosophical beliefs
Religious affiliation, dietary restrictions indicating belief
Trade union membership
Union records, payroll deductions
Genetic data
DNA samples, genetic test results
Biometric data (for identification)
Fingerprints, facial recognition templates
Health data
Medical records, sick leave, disability status
Sex life
Sexual health records
Sexual orientation
Relationship status where it reveals orientation
Article 9(2) conditions include: explicit consent, employment law obligations, vital interests, legitimate activities of non-profit bodies, data manifestly made public by the individual, legal claims, substantial public interest, healthcare, public health, and archiving/research/statistics.
Data Subject Rights
GDPR grants individuals eight comprehensive rights over their personal data. Organisations must respond to requests within one month (extendable by two months for complex or numerous requests).
Right
Article
Key Points
Right to be informed
13-14
Provide clear privacy notices at the point of collection
Right of access
15
Provide copy of personal data and processing details
Right to rectification
16
Correct inaccurate data; complete incomplete data
Right to erasure
17
Delete data when no longer necessary, consent withdrawn, or unlawful processing
Right to restriction
18
Limit processing while accuracy is contested or processing is unlawful
Right to data portability
20
Provide data in machine-readable format; transfer to another controller
Right to object
21
Object to processing based on legitimate interests or public task; absolute right for direct marketing
Automated decision-making
22
Right not to be subject to solely automated decisions with legal/significant effects
Important: The right to erasure is not absolute. Exceptions include: compliance with legal obligations, exercising or defending legal claims, public health, and archiving/research in the public interest.
Handling Data Subject Requests (DSARs)
Organisations should implement a structured process:
Receive — provide clear channels for requests (email, form, in-person)
Verify — confirm the requester's identity without collecting excessive data
Assess — determine which right is being exercised and any exemptions
Action — fulfil the request within one month
Document — record the request, your response, and reasoning
Data Protection Officer (DPO)
When Is a DPO Mandatory?
Article 37 requires appointment of a DPO when:
The organisation is a public authority or body
Core activities consist of processing requiring regular and systematic monitoring of individuals on a large scale
Core activities consist of large-scale processing of special categories of data or criminal conviction data
Factor
Examples Requiring DPO
Examples Not Requiring DPO
Public authority
Government agencies, public hospitals, universities
Inform and advise the organisation on GDPR obligations
Monitor compliance including staff awareness and training
Advise on Data Protection Impact Assessments
Act as contact point for the supervisory authority
Act as contact point for data subjects
Learn more: Read our dedicated Data Protection Officer guide for detailed qualification requirements, independence rules, and structuring the DPO function.
Data Protection Impact Assessment (DPIA)
Article 35 requires a DPIA before processing that is likely to result in high risk to individuals' rights and freedoms.
When Is DPIA Mandatory?
Systematic and extensive profiling with significant effects
Large-scale processing of special categories or criminal data
Systematic monitoring of a publicly accessible area on a large scale
Any processing on the supervisory authority's mandatory DPIA list
DPIA Process
Step
Description
1. Describe processing
Nature, scope, context, and purposes of the processing
2. Assess necessity
Is the processing necessary and proportionate to the purpose?
3. Identify risks
What are the risks to individuals' rights and freedoms?
4. Identify measures
What measures mitigate the identified risks?
5. Document
Record the assessment, decisions, and outcomes
6. Review
Revisit the DPIA when processing changes significantly
If the DPIA reveals high residual risk that cannot be mitigated, you must consult the supervisory authority (Article 36) before proceeding.
Learn more: Read our dedicated Privacy Impact Assessment Guide for step-by-step DPIA methodology, EDPB criteria, real-world examples, and template guidance.
Data Breach Notification
What Constitutes a Personal Data Breach?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes:
Confidentiality breach — unauthorised access or disclosure (e.g., email sent to wrong recipient, hacking)
Integrity breach — unauthorised alteration (e.g., data corruption, ransomware encryption)
Availability breach — loss of access (e.g., accidental deletion, system outage affecting data)
Notification Requirements
Obligation
Timeline
Threshold
Internal detection and assessment
Immediately upon awareness
All suspected breaches
Supervisory authority notification
Within 72 hours of becoming aware
Unless unlikely to result in risk to individuals
Data subject notification
Without undue delay
When likely to result in high risk to individuals
Internal documentation
Ongoing
All breaches, including non-reportable ones
The 72-hour clock: Starts when the organisation becomes "aware" of the breach — meaning when there is a reasonable degree of certainty that a breach has occurred. This is why having clear detection and escalation procedures is critical.
What to Include in a Notification
Notification to the supervisory authority must include:
Nature of the breach (categories and approximate number of data subjects and records)
Name and contact details of the DPO or other contact point
Likely consequences of the breach
Measures taken or proposed to address and mitigate the breach
International Data Transfers
GDPR restricts transfers of personal data outside the EU/EEA to ensure protection travels with the data.
Transfer Mechanisms
Mechanism
Description
Examples
Adequacy decision
European Commission determines the country provides adequate protection
Andorra, Argentina, Canada (commercial), Israel, Japan, New Zealand, South Korea, Switzerland, UK, Uruguay, and the EU-US Data Privacy Framework. For organisations operating in both jurisdictions, see GDPR vs UK GDPR: Key Differences.
Standard Contractual Clauses (SCCs)
Pre-approved contractual terms adopted by the Commission
Most common mechanism for transfers to non-adequate countries
Binding Corporate Rules (BCRs)
Approved internal policies for intra-group transfers
Large multinationals with centralised data processing
Derogations
Limited exceptions under Article 49
Explicit consent, contract necessity, important public interest, legal claims, vital interests
Transfer Impact Assessment (TIA)
For SCCs and BCRs, the Schrems II decision (C-311/18) requires organisations to:
Assess the laws of the destination country
Determine if they undermine the protection provided by the transfer mechanism
Implement supplementary measures if needed (encryption, pseudonymisation, contractual guarantees)
Suspend the transfer if adequate protection cannot be ensured
Learn more: Read our dedicated Standard Contractual Clauses Guide for detailed SCC module selection, Transfer Impact Assessment methodology, and supplementary measures guidance.
Processing principles (Article 5); lawful basis (Article 6); consent (Article 7); special categories (Article 9); data subject rights (Articles 12-22); international transfers (Articles 44-49)
Factors Affecting Fine Amounts
Supervisory authorities consider (Article 83(2)):
Nature, gravity, and duration of the infringement
Intentional or negligent character
Actions taken to mitigate damage to data subjects
Technical and organisational measures in place
Previous infringements
Cooperation with the supervisory authority
Categories of personal data affected
How the infringement became known to the authority
Adherence to approved codes of conduct or certifications
Other Enforcement Powers
Beyond fines, supervisory authorities can:
Issue warnings and reprimands
Order compliance with data subject requests
Impose temporary or permanent processing bans
Suspend data flows to third countries
Order rectification, restriction, or erasure of data
Data subjects can also claim compensation for both material damage (financial loss) and non-material damage (distress, reputational harm) under Article 82.
Largest GDPR Fines to Date
Year
Organisation
Fine (EUR)
Violation
Authority
2023
Meta (Facebook)
1,200,000,000
Unlawful transfer of personal data to the US without adequate safeguards
Ireland DPC
2023
Meta (Instagram)
405,000,000
Processing children's data, making contact info of minors public
Ireland DPC
2022
Meta (Facebook)
265,000,000
Failure to protect user data from scraping (data breach)
Ireland DPC
2022
Meta (WhatsApp)
225,000,000
Insufficient transparency about data sharing with Facebook
Ireland DPC
2024
LinkedIn
310,000,000
Lack of valid consent and lawful basis for behavioural advertising
Ireland DPC
2024
Uber
290,000,000
Transferring driver data to the US without adequate safeguards
Netherlands AP
2021
Amazon
746,000,000
Non-compliant advertising targeting system
Luxembourg CNPD
2022
Google (Ireland)
150,000,000
Misleading cookie consent design (dark patterns)
France CNIL
2020
H&M
35,000,000
Excessive employee surveillance
Hamburg DPA
2020
British Airways
22,000,000
Insufficient security measures leading to data breach
UK ICO
Pattern: The majority of the largest fines involve big tech companies, but SMEs are not immune. Supervisory authorities have also fined small businesses, healthcare providers, and public authorities. The message is clear — no organisation is below the enforcement threshold.
Common Compliance Mistakes
1. Defaulting to Consent When Another Basis Applies
Problem: Using consent as the default lawful basis when processing is actually necessary for contract performance or legitimate interests.
Why it matters: If consent is withdrawn, you lose the legal basis to process — potentially disrupting services you could have lawfully continued under another basis.
Solution: Conduct a lawful basis assessment for each processing activity before collection begins.
2. Privacy Notices That Nobody Reads
Problem: Privacy notices that are excessively long, filled with legal jargon, or hidden behind multiple clicks.
Solution: Use layered notices — a short summary with the essential information upfront, with links to the full details. Use plain language. Test readability.
3. Ignoring Processor Oversight
Problem: Signing a DPA with a processor and then never monitoring their compliance.
Solution: Implement a vendor risk management programme with regular assessments, audit rights in contracts, and documented reviews.
4. Missing the 72-Hour Breach Window
Problem: No clear internal escalation process, leading to delayed breach detection and missed notification deadlines.
Solution: Create a breach response plan with defined roles, escalation paths, assessment criteria, and template notifications. Run tabletop exercises.
5. No Record of Processing Activities
Problem: No Article 30 register, making it impossible to demonstrate compliance or respond to supervisory authority inquiries.
Solution: Build and maintain a comprehensive ROPA. Review it quarterly. Make it a living document, not a one-time exercise.
6. Treating Compliance as a One-Time Project
Problem: Conducting a compliance project, filing the documents, and never revisiting them.
Solution: Embed data protection into ongoing business processes. Schedule annual audits, regular training refreshers, and policy reviews tied to business changes.
GDPR and Other EU Regulations
GDPR does not exist in isolation. It intersects with several other EU regulations that organisations may need to comply with simultaneously.
Regulation
Relationship to GDPR
Key Overlap
NIS2 (EU 2022/2555)
Complementary — NIS2 covers cybersecurity; GDPR covers data protection
Security of processing (Article 32); breach notification; risk management
DORA (EU 2022/2554)
Complementary — DORA covers ICT resilience for financial entities
Cookies, direct marketing, confidentiality of communications
CSRD
Parallel — covers sustainability reporting
ESG data may include personal data of employees, stakeholders
Strategic advantage: Organisations that build a unified compliance framework addressing GDPR, NIS2, and DORA together can achieve significant efficiencies. Learn more about our integrated compliance approach.
FAQ
How much does GDPR compliance cost?
Costs vary enormously depending on organisation size, complexity, and current maturity. An SME might invest EUR 10,000-50,000 for initial compliance; large enterprises typically spend EUR 500,000-5,000,000+. Ongoing costs include DPO salary or outsourcing (EUR 30,000-100,000/year), annual audits, training, and tool licensing. The cost of non-compliance is invariably higher. If you are considering external expertise, our guide on choosing a GDPR consultant covers evaluation criteria and cost benchmarks.
Does GDPR apply to small businesses?
Yes, GDPR applies to all organisations that process EU personal data, regardless of size. However, organisations with fewer than 250 employees are exempt from some documentation requirements (Article 30(5)) unless their processing involves high risk, special categories, or criminal data.
Do I need a DPO?
A DPO is mandatory if you are a public authority, if your core activities involve large-scale systematic monitoring, or if you process special categories of data on a large scale. Even if not mandatory, many organisations appoint a DPO voluntarily or use outsourced DPO services as a best practice.
What is the difference between a controller and a processor?
A controller decides why and how personal data is processed. A processor processes data on behalf of and under instructions from the controller. Many organisations are controllers for some processing activities and processors for others.
Can I transfer personal data outside the EU?
Yes, but you must use an approved transfer mechanism: adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or a derogation under Article 49. Since the Schrems II ruling, you must also conduct a Transfer Impact Assessment to verify the destination country's laws provide adequate protection.
What should I do if we have a data breach?
Contain the breach immediately
Assess the risk to individuals
Notify the supervisory authority within 72 hours (unless unlikely to result in risk)
Notify affected individuals without undue delay if high risk
Document the breach, your assessment, and actions taken
Review and improve your security measures
How often should we audit GDPR compliance?
At minimum, conduct a full compliance audit annually. Additionally, review compliance whenever there are significant changes to processing activities, systems, or business operations. Continuous monitoring through automated tools is becoming best practice.
Is GDPR certification possible?
GDPR itself provides for approved certification mechanisms (Articles 42-43), though the ecosystem is still maturing. ISO 27701 (privacy information management) is widely recognised as a demonstration of GDPR compliance capability, particularly when combined with ISO 27001 certification.
Conclusion
GDPR compliance is not a one-time project — it is an ongoing programme that requires continuous attention, regular audits, and cultural commitment. The organisations that succeed embed data protection into their daily operations rather than treating it as a checkbox exercise.
The return on investment is substantial. Beyond avoiding fines, a strong GDPR compliance programme builds customer trust, improves data quality, reduces security incidents, strengthens vendor relationships, and creates competitive advantage in privacy-conscious markets.
Key success factors:
Leadership commitment — data protection as a board-level priority
Clear accountability — defined roles, documented responsibilities
Systematic approach — ROPA, DPIAs, retention schedules, and regular audits
Staff awareness — ongoing training and a privacy-first culture
Proactive monitoring — regulatory updates, enforcement trends, and technology changes
Need support with GDPR compliance? Vision Compliance helps organisations build and maintain effective data protection programmes — from initial gap analysis to ongoing DPO services.
Ivana Ludiga, mag. iur., is an Associate at Vision Compliance focused on data protection, GDPR implementation, and regulatory advisory. She supports compliance projects for organizations across healthcare, financial services, and technology sectors.
