GDPR Explained: Complete Guide

Everything you need to know about the General Data Protection Regulation and how it affects websites and businesses worldwide.

15 min read Updated April 2026

What Is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that came into effect on May 25, 2018. It represents the most significant change in data privacy regulation in decades and has far-reaching implications for businesses worldwide.

GDPR was designed to give EU residents greater control over their personal data and to simplify the regulatory environment for international business by unifying data protection regulations across the EU.

GDPR at a Glance

  • Effective Date: May 25, 2018
  • Jurisdiction: European Union + EEA countries
  • Applies To: Any organization processing EU resident data
  • Maximum Penalty: €20 million or 4% of global annual revenue
  • Key Concept: Consent-based (opt-in) model

Who Does GDPR Apply To?

GDPR applies to two main categories of organizations: those within the EU and those outside the EU that process personal data of EU residents.

Organizations Within the EU

Any organization established in an EU member state that processes personal data must comply with GDPR, regardless of where the actual data processing takes place.

Organizations Outside the EU

Organizations outside the EU must comply with GDPR if they:

  • Offer goods or services to EU residents
  • Monitor the behavior of EU residents within the EU
  • Have a subsidiary or office in an EU member state

Global Impact

GDPR affects businesses worldwide. If your website has visitors from the EU, you likely need to comply with GDPR requirements, even if your business is based in the US, Asia, or elsewhere.

Controllers vs Processors

GDPR distinguishes between two types of organizations:

  • Data Controller: Determines the purposes and means of processing personal data
  • Data Processor: Processes personal data on behalf of the controller

Both have specific obligations under GDPR, with controllers having more responsibility.

GDPR's 7 Key Principles

Article 5 of GDPR establishes the principles that all data processing must follow:

1. Lawfulness, Fairness, and Transparency

Data must be processed lawfully, fairly, and in a transparent manner. Organizations must clearly communicate how they collect and use data.

2. Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes. It cannot be processed in a manner incompatible with those purposes.

3. Data Minimization

Only collect data that is adequate, relevant, and limited to what is necessary for the stated purposes.

4. Accuracy

Personal data must be accurate and kept up to date. Inaccurate data should be erased or rectified without delay.

5. Storage Limitation

Data should not be kept longer than necessary for the purposes for which it was collected.

6. Integrity and Confidentiality

Data must be processed in a manner that ensures appropriate security, including protection against unauthorized processing, accidental loss, destruction, or damage.

7. Accountability

Organizations must be able to demonstrate compliance with the above principles through documentation and evidence.

Lawful Basis for Processing

Under GDPR, you must have a lawful basis for processing personal data. There are six possible bases:

1. Consent

The data subject has given clear, unambiguous consent for processing their data. Consent must be freely given, specific, informed, and unambiguous.

2. Contract

Processing is necessary for the performance of a contract with the data subject or to take pre-contractual steps at their request.

3. Legal Obligation

Processing is necessary to comply with the law (not including contracts).

4. Vital Interests

Processing is necessary to protect the vital interests of the data subject or another person.

5. Public Task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

6. Legitimate Interests

Processing is necessary for the legitimate interests of the organization or a third party, unless overridden by the data subject's rights and freedoms.

Choosing a Lawful Basis

For most websites and businesses, consent is the most common lawful basis for activities like marketing emails, analytics, and non-essential cookies. For essential functions like order fulfillment, contract or legitimate interests may apply.

Data Subject Rights Under GDPR

GDPR grants EU residents (data subjects) specific rights that organizations must respect:

1. Right to be Informed

Data subjects have the right to know what data is collected about them and how it's used. This is typically fulfilled through privacy policies and clear notices.

2. Right of Access

Also known as Subject Access Request (SAR). Data subjects can request a copy of their personal data and information about how it's processed.

3. Right to Rectification

Data subjects can request correction of inaccurate or incomplete personal data.

4. Right to Erasure

Also known as the "right to be forgotten." Data subjects can request deletion of their personal data in certain circumstances.

5. Right to Restrict Processing

Data subjects can request that their data be stored but not processed further.

6. Right to Data Portability

Data subjects can request their data in a structured, commonly used, machine-readable format and transfer it to another organization.

7. Right to Object

Data subjects can object to processing based on legitimate interests, direct marketing, or scientific/historical research.

8. Rights Related to Automated Decision-Making

Data subjects have rights regarding decisions made solely by automated processing that significantly affect them.

Business Obligations Under GDPR

Organizations subject to GDPR have several specific obligations:

Privacy Policy Requirements

  • Provide clear, plain-language explanation of data processing
  • Describe categories of data collected
  • Explain lawful basis for processing
  • Identify third parties who receive data
  • Explain data retention periods
  • Describe data subject rights
  • Provide contact information for data protection matters

Consent Management

  • Implement clear consent mechanisms
  • Ensure consent is freely given
  • Allow easy withdrawal of consent
  • Keep records of consent
  • Separate consent from other terms

Data Protection Officer (DPO)

Some organizations are required to appoint a DPO:

  • Public authorities
  • Organizations processing large-scale special category data
  • Organizations monitoring behavior on large scale

Data Breach Response

  • Report breaches to supervisory authority within 72 hours
  • Notify affected individuals when high risk
  • Document all breaches
  • Implement breach detection and response procedures

Data Protection Impact Assessments

Required for high-risk processing, including:

  • Large-scale processing of special categories
  • Systematic monitoring of public area
  • New technologies or large-scale profiling

GDPR Penalties

GDPR provides for significant financial penalties for non-compliance:

Tier 1 Violations

  • Up to €10 million or 2% of global annual revenue (whichever is higher)
  • Applies to: Controller/processor violations, DPO issues, security breach delays

Tier 2 Violations

  • Up to €20 million or 4% of global annual revenue (whichever is higher)
  • Applies to: Principle violations, rights violations, data transfers violations

Real-World Impact

Under Tier 2 penalties, a company with €500 million in global revenue could face penalties up to €20 million. Major tech companies have faced fines in the hundreds of millions.

Beyond Financial Penalties

  • Reputational damage
  • Orders to cease processing
  • Required changes to data practices
  • Suspension of data transfers
  • Individual complaints and litigation

Steps to Achieve GDPR Compliance

Here's a practical approach to GDPR compliance:

Phase 1: Assessment

  • Map all personal data you collect
  • Identify where data is stored and processed
  • Document data flows and third-party processors
  • Assess current privacy practices
  • Identify gaps in compliance

Phase 2: Implementation

  • Update privacy policies
  • Implement consent mechanisms
  • Create data subject request procedures
  • Update contracts with processors
  • Implement technical security measures

Phase 3: Ongoing

  • Train employees on GDPR requirements
  • Maintain records of processing activities
  • Regularly review and update practices
  • Monitor regulatory updates
  • Conduct periodic audits

Ready to Check Your GDPR Compliance?

Use PolicyLens to analyze your privacy policy and ensure it meets GDPR requirements for your visitors from the EU.

Analyze Your Policy Free