The General Data Protection Regulation (GDPR) is EU Regulation 2016/679, which came into effect on 25 May 2018. It sets out rules for how organisations collect, use, store and protect personal data relating to EU residents.

Priority Guide

GDPR Compliance Guide: Everything EU Businesses Need to Know

Q: Who does GDPR apply to?

GDPR applies to any organisation — regardless of where it is based — that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour within the EU.

Q: What is personal data under GDPR?

Personal data is any information that relates to an identified or identifiable living individual. This includes names, email addresses, IP addresses, location data, cookie identifiers, and any other data that can be used to identify a person.

Q: What are the maximum GDPR fines?

GDPR provides for two tiers of administrative fines. The higher tier, for the most serious violations, is up to €20 million or 4% of total global annual turnover of the preceding financial year, whichever is higher. The lower tier is up to €10 million or 2% of global annual turnover.

A comprehensive reference covering the key principles, obligations, individual rights and enforcement framework of the General Data Protection Regulation — in plain English.

GDPR — Seven Key Principles (Article 5)

Source: GDPR Article 5 — Principles relating to processing of personal data

What Is GDPR?

The General Data Protection Regulation (Regulation (EU) 2016/679) is the primary data protection law of the European Union. It came into effect on 25 May 2018, replacing the 1995 Data Protection Directive and unifying data protection rules across all EU member states into a single, directly applicable legal framework.

GDPR applies extraterritorially: any organisation anywhere in the world that processes personal data of EU residents in connection with offering goods or services to them — or monitoring their behaviour within the EU — is subject to its requirements. This means a company based in the United States, Japan or Australia may have GDPR obligations even without an EU office.

The regulation's dual goals are to strengthen individuals' rights over their personal data and to create a consistent regulatory environment across the EU's single market. It achieved both through a combination of enhanced rights for data subjects, strengthened obligations for organisations, and a significantly expanded enforcement regime.

Core Concepts and Definitions

Personal Data

Personal data is "any information relating to an identified or identifiable natural person." This definition is intentionally broad and covers not just obvious identifiers like names and ID numbers, but also location data, online identifiers (IP addresses, cookie IDs, device fingerprints), and "factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity" of an individual.

Crucially, data is personal even when indirect — an IP address alone identifies a device and, in most circumstances, a specific person. Pseudonymised data remains personal data under GDPR, because re-identification is theoretically possible. Only truly anonymised data — where re-identification is genuinely impossible — falls outside the regulation's scope.

Special Categories of Personal Data

Article 9 identifies categories of particularly sensitive personal data that warrant additional protection:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (where used to uniquely identify a person)
Data concerning health
Data concerning a person's sex life or sexual orientation

Processing special categories of data is prohibited by default, subject to specific exceptions — including explicit consent, employment law obligations, and vital interests.

Controllers and Processors

GDPR distinguishes between two types of organisation involved in data processing:

A controller determines the purposes and means of processing personal data — they decide why and how data is processed
A processor processes personal data on behalf of a controller, following the controller's instructions

The distinction matters because it determines which obligations apply. Controllers bear primary legal responsibility; processors have specific obligations under Article 28 and may be directly liable for certain violations. Both must enter into a data processing agreement when the processor handles data on the controller's behalf.

The Six Lawful Bases for Processing

Every processing activity must have a valid legal basis under Article 6. There are six options:

1. Consent (Article 6(1)(a))

The data subject has given freely given, specific, informed and unambiguous consent. Consent must be an affirmative action — pre-ticked boxes and inaction do not constitute consent. Individuals must be able to withdraw consent as easily as they gave it. Consent is often not the most appropriate basis for business processing activities.

2. Contract (Article 6(1)(b))

Processing is necessary for the performance of a contract with the data subject, or to take steps at their request before entering into a contract. Sending a delivery confirmation email to a customer, or processing payment details to fulfil an order, typically falls under this basis.

3. Legal Obligation (Article 6(1)(c))

Processing is necessary to comply with a legal requirement to which the controller is subject. Retaining employee tax records, reporting suspicious transactions under anti-money-laundering law, or maintaining accounting records all fall under this basis.

4. Vital Interests (Article 6(1)(d))

Processing is necessary to protect the vital interests of the data subject or another person. This is an emergency basis applicable where the person cannot consent — for example, disclosing medical history to treating clinicians when the patient is unconscious.

5. Public Task (Article 6(1)(e))

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Primarily relevant to public sector bodies and organisations exercising statutory functions.

6. Legitimate Interests (Article 6(1)(f))

Processing is necessary for the purposes of a controller's (or third party's) legitimate interests, except where these are overridden by the fundamental rights and freedoms of the data subject. This requires a three-part balancing test: identify the legitimate interest, demonstrate the necessity of the processing, and balance the interest against the impact on individuals. Cannot be used by public authorities in the exercise of their tasks.

The Seven Key Principles (Article 5)

All personal data processing must comply with the seven principles set out in Article 5:

Lawfulness, fairness and transparency — processing must have a legal basis, not disadvantage individuals unfairly, and be transparent about how data is used
Purpose limitation — data must be collected for specified, explicit and legitimate purposes and not processed in ways incompatible with those purposes
Data minimisation — only data that is adequate, relevant and limited to what is necessary for the purpose should be collected
Accuracy — personal data must be accurate and, where necessary, kept up to date; inaccurate data must be erased or corrected
Storage limitation — data should be kept in a form permitting identification no longer than is necessary for the purposes
Integrity and confidentiality — data must be protected against unauthorised or unlawful processing, accidental loss, destruction or damage through appropriate technical and organisational measures
Accountability — controllers must be able to demonstrate compliance with all the above principles

Data Subject Rights

GDPR grants individuals eight rights in relation to their personal data. Controllers must be equipped to handle and respond to rights requests within one calendar month. A full explanation of each right is available in our EU data subject rights guide.

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure / "right to be forgotten" (Article 17)
Right to restriction of processing (Article 18)
Right to data portability (Article 20)
Right to object (Article 21)
Rights related to automated decision-making and profiling (Article 22)
Right to withdraw consent (Article 7(3))

Obligations for Data Controllers

Privacy by Design and Default

Article 25 requires controllers to implement data protection measures from the outset of system design ("privacy by design") and to ensure that, by default, only personal data necessary for each specific purpose is processed ("privacy by default"). Read our dedicated guide on privacy by design.

Records of Processing Activities

Article 30 requires controllers with 250 or more employees — and smaller organisations if processing is not occasional or poses specific risks — to maintain written records of all processing activities. These records must include the purposes of processing, categories of data, retention periods, security measures, and international transfer safeguards.

Data Protection Impact Assessments

Article 35 requires a Data Protection Impact Assessment (DPIA) before processing that is likely to result in a high risk to individuals. DPIAs are mandatory for systematic profiling at large scale, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas. Supervisory authorities publish lists of processing operations that require DPIAs.

Data Protection Officers

Article 37 makes a DPO mandatory for public authorities, organisations carrying out large-scale systematic monitoring of individuals, and organisations processing special categories of data at large scale. Voluntary appointment is permissible for any organisation. DPOs must be independent, expert in data protection law, and report to the highest management level.

Data Breach Notification

A personal data breach must be notified to the supervisory authority within 72 hours of discovery, unless it is unlikely to result in a risk to individuals. High-risk breaches must also be communicated to affected individuals without undue delay. See our full data breach notification guide.

International Data Transfers

Transferring personal data outside the EEA (European Economic Area) is restricted. Transfers are permitted where the destination country has an adequacy decision from the European Commission, or where appropriate safeguards are in place — most commonly Standard Contractual Clauses (SCCs), Binding Corporate Rules, or (for transfers to the US) the EU-US Data Privacy Framework.

Enforcement and Fines

GDPR created a two-tier fine structure:

Lower tier — up to €10 million or 2% of total global annual turnover (whichever is higher) for violations of organisational requirements (records of processing, processor contracts, DPIAs, etc.)
Higher tier — up to €20 million or 4% of total global annual turnover (whichever is higher) for the most serious violations, including breaches of the basic principles, data subject rights, and international transfer rules

Major enforcement actions since GDPR came into force include:

Meta (Ireland, 2023) — €1.2 billion for unlawful data transfers from the EU to the US
Amazon (Luxembourg, 2021) — €746 million for processing personal data without a valid legal basis
WhatsApp (Ireland, 2021) — €225 million for transparency failures
Google (France, 2019) — €50 million for lack of transparency and valid consent for personalised advertising

Fines are not the only sanction. Supervisory authorities can also issue warnings, reprimands, temporary processing bans, and orders to comply with data subject rights requests.

How to Achieve GDPR Compliance: A Framework

A structured approach to GDPR compliance typically involves the following steps:

Audit your data — map every type of personal data you collect, why you collect it, how it flows through your systems, and where it goes
Identify your legal bases — document the legal basis for each processing activity
Update your privacy notices — ensure every data collection point has an accessible, compliant privacy notice
Review and implement consent mechanisms — where consent is your legal basis, ensure it meets GDPR standards
Establish rights-handling procedures — put processes in place to receive and respond to data subject rights requests within the required timeframes
Review third-party processor contracts — sign Data Processing Agreements with every vendor that processes personal data on your behalf
Implement appropriate security — proportionate technical and organisational measures to protect data from breach
Create a breach response plan — prepare for incidents with a documented plan before they happen
Appoint a DPO if required — or a designated internal point of contact for data protection
Document everything — accountability requires being able to demonstrate compliance, not just achieve it

For a step-by-step checklist tailored to smaller organisations, see our GDPR for small business guide.

Frequently Asked Questions

What is GDPR? +

GDPR (General Data Protection Regulation, EU 2016/679) is the primary data protection law of the European Union, in force since 25 May 2018. It sets out rules for how organisations collect, use and protect personal data of EU residents.

Who does GDPR apply to? +

Any organisation that processes personal data of EU residents in connection with offering goods or services to them, or monitoring their behaviour within the EU — regardless of where the organisation is based.

What is personal data under GDPR? +

Any information relating to an identified or identifiable living individual: names, email addresses, IP addresses, location data, cookie identifiers, and any other data that can be used — alone or in combination — to identify a person.

What are the maximum GDPR fines? +

Up to €20 million or 4% of global annual turnover (whichever is higher) for the most serious violations. Lower-tier violations attract fines of up to €10 million or 2% of global annual turnover.

Do I need consent to process personal data under GDPR? +

Not necessarily. Consent is one of six lawful bases. Depending on the activity, contract, legal obligation or legitimate interests may be more appropriate. Consent is often not the best choice for routine business processing.

What is a Data Processing Agreement? +

A legally required contract between a data controller and a data processor, specifying what the processor can do with personal data on the controller's behalf, their security obligations, and their duty to assist with rights requests and audits.

How long do I have to respond to a data subject access request? +

One calendar month from receipt of the request. In complex cases or where multiple requests have been submitted simultaneously, this can be extended by a further two months, with notification to the individual within the first month.

What is a Data Protection Officer and do I need one? +

A DPO is an independent expert in data protection law who advises the organisation and monitors compliance. Appointment is mandatory for public authorities, organisations doing large-scale systematic monitoring, and those processing special categories at large scale. Others may appoint voluntarily.

Does GDPR apply after Brexit? +

The UK has its own version of GDPR (UK GDPR), substantively equivalent to EU GDPR. EU GDPR continues to apply to UK organisations that process data of EU residents. Transfers between the EU and UK are covered by an adequacy decision.

What is the difference between a controller and a processor? +

A controller decides the purposes and means of processing; they bear primary legal responsibility. A processor processes data on behalf of and under the instructions of a controller. Both have GDPR obligations, but the controller is ultimately accountable.

What is a Data Protection Impact Assessment? +

A DPIA is a structured risk assessment required before processing that is likely to result in high risk to individuals — including large-scale profiling, processing of special categories at scale, and systematic monitoring of public areas.

Can I transfer personal data outside the EU? +

Yes, but only to countries with an adequacy decision, or with appropriate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or (for the US) the EU-US Data Privacy Framework.

What is meant by "special categories" of personal data? +

Data that is inherently more sensitive: health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data about sex life or sexual orientation. Processing these requires stricter justification.

Does GDPR apply to paper records? +

Yes. GDPR applies to all processing of personal data, whether digital or in structured paper filing systems. Unstructured paper records — such as a notebook — are generally outside scope.

What is pseudonymisation and does it exempt data from GDPR? +

Pseudonymisation is a technique that replaces directly identifying information with an alias or code. Pseudonymised data is still personal data under GDPR (because re-identification is possible), but its use reduces risk and is encouraged. Only true anonymisation removes data from GDPR scope.

Is there a GDPR register I need to file with? +

Most EU member states do not require registration, but organisations must maintain internal Records of Processing Activities. Some national laws retain notification or registration requirements for specific processing types.

What should I do if I receive a data subject access request? +

Verify the identity of the requester, gather all personal data you hold about them, prepare a response covering what data you hold, why, how long you keep it and who you share it with, and respond within one calendar month. There is generally no fee for providing this response.