What is GDPR compliance?
The EU's privacy law reaches far beyond Europe. Here is what it requires and who it applies to.
The General Data Protection Regulation (GDPR) is the European Union's data protection law. It governs how organisations process the personal data of individuals in the EU and EEA, and it applies extraterritorially: if you offer goods or services to, or monitor, people in the EU, it can apply to you wherever you are based.
GDPR is strict and its penalties are large, up to the greater of 20 million euros or 4 percent of global annual turnover. This guide covers the essentials and how to approach compliance.
- Applies to anyone processing personal data of people in the EU/EEA, including organisations outside Europe.
- You need a lawful basis to process personal data, and must honour data subject rights.
- Personal data breaches must generally be reported to the regulator within 72 hours.
- Penalties reach up to the greater of 20 million euros or 4 percent of global turnover.
Key roles and principles
GDPR distinguishes the controller (who decides why and how data is processed) from the processor (who processes on the controller's behalf). Processing must follow core principles: lawfulness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and security.
Rights and obligations
GDPR grants individuals strong rights and places duties on organisations:
- Data subject rights: access, rectification, erasure, portability, and objection.
- A lawful basis (such as consent or legitimate interest) for every processing activity.
- Breach notification to the supervisory authority, generally within 72 hours.
- Data Protection Impact Assessments (DPIAs) for high-risk processing.
- A Data Protection Officer where required, and records of processing.
How to approach compliance
Map your personal data: what you collect, why, where it lives, and who you share it with. Fix your lawful bases and notices, enable data subject rights, and put security safeguards in place, since GDPR explicitly requires appropriate security of personal data.
A breach is a GDPR event with a tight reporting clock, so detection, external exposure monitoring, and third-party oversight are core to staying compliant.
Frequently asked questions
Start your GDPR readiness
A breach is a 72-hour clock. See where personal data is exposed with a free check.
Run a free check