Blog What Is GDPR Who Must Comply Key Requirements Data Subject Rights Cookie Consent DPIAs Explained Fines & Penalties Implementation Steps

What Is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law, effective since May 25, 2018. It's widely considered the gold standard for privacy regulation worldwide and has inspired similar laws in over 100 countries.

GDPR at a Glance: GDPR gives EU residents control over their personal data and requires organizations to be transparent about data collection, processing, and sharing. It applies to any organization handling EU residents' data — regardless of where the organization is based.

Who Must Comply with GDPR?

GDPR applies to:

  • Controllers: Organizations that determine the purposes and means of processing personal data
  • Processors: Organizations that process data on behalf of controllers
  • Any organization worldwide that offers goods or services to EU residents or monitors their behavior

There's no minimum size threshold. Whether you're a solo entrepreneur or a multinational corporation, if you handle EU residents' data, GDPR applies to you.

Key GDPR Requirements

1. Lawful Basis for Processing

You must have a valid legal basis for collecting and processing personal data. The six lawful bases are:

  • Consent: The individual has given clear consent
  • Contract: Processing is necessary for a contract
  • Legal obligation: Required by law
  • Vital interests: Protecting someone's life
  • Public task: Necessary for public interest
  • Legitimate interests: Your interests don't override individual rights

2. Transparency & Notice

Your privacy policy must be:

  • Written in clear, plain language
  • Easily accessible (not buried in fine print)
  • Comprehensive about what data you collect and why
  • Transparent about third-party sharing
  • Clear about data retention periods

3. Data Minimization

Only collect data that is "adequate, relevant, and limited to what is necessary" for your stated purposes. Don't collect data "just in case" you might need it later.

4. Storage Limitation

Don't keep personal data longer than necessary. Define clear retention periods and delete data when it's no longer needed.

5. Security Measures

Implement "appropriate technical and organizational measures" to protect personal data. This includes encryption, access controls, regular security testing, and incident response plans.

Data Subject Rights Under GDPR

GDPR grants individuals eight fundamental rights:

  1. Right to be informed: Know what data is collected and how it's used
  2. Right of access: Request a copy of your personal data
  3. Right to rectification: Correct inaccurate personal data
  4. Right to erasure: Have your data deleted ("right to be forgotten")
  5. Right to restrict processing: Limit how your data is used
  6. Right to data portability: Receive your data in a machine-readable format
  7. Right to object: Object to processing for marketing or legitimate interests
  8. Rights related to automated decision-making: Not be subject to decisions made solely by algorithms

Under GDPR (as interpreted with the ePrivacy Directive), cookie consent must be:

  • Freely given: No pre-checked boxes or cookie walls that block access
  • Specific: Separate consent for different cookie categories
  • Informed: Clear explanation of what each cookie does
  • Unambiguous: Clear affirmative action (not passive acceptance)
  • Easy to withdraw: Just as easy to opt out as it was to opt in

Data Protection Impact Assessments

A DPIA is required when processing is "likely to result in a high risk" to individuals. You need a DPIA for:

  • Systematic and extensive profiling
  • Large-scale processing of sensitive data
  • Systematic monitoring of public areas
  • New technologies that may impact rights

GDPR Fines and Penalties

GDPR has teeth. Penalties are structured in two tiers:

Tier 1: Up to €10 million or 2% of global annual turnover

For violations related to: data processing records, security measures, data protection officers, data protection impact assessments, and breach notifications.

Tier 2: Up to €20 million or 4% of global annual turnover

For violations related to: basic processing principles (consent, lawfulness), data subject rights, and international data transfers.

Notable fines include Meta (€1.2 billion), Amazon (€746 million), and TikTok (€345 million). Regulators are increasingly aggressive about enforcement.

GDPR Implementation Checklist

Follow these steps to achieve GDPR compliance:

  1. Data Audit: Map all personal data you collect, process, and store
  2. Legal Basis: Identify the lawful basis for each data processing activity
  3. Privacy Policy: Update your privacy policy to meet transparency requirements
  4. Cookie Consent: Implement a compliant cookie consent mechanism
  5. Data Rights Process: Create procedures for handling data subject requests
  6. Security Measures: Implement appropriate technical and organizational safeguards
  7. Data Processing Agreements: Sign DPAs with all third-party processors
  8. Breach Notification Plan: Prepare to notify authorities within 72 hours
  9. Staff Training: Train all employees on GDPR requirements
  10. Regular Review: Schedule ongoing compliance reviews and updates

GDPR compliance isn't a one-time project — it's an ongoing commitment. But the benefits go beyond avoiding fines: it builds trust with your users and demonstrates that you value their privacy.

Ready to Check a Privacy Policy?

Use our free AI-powered analyzer to see what's in any privacy policy.

Analyze a Policy Free