The General Data Protection Regulation governs how organizations collect and use the personal data of people in the EU. It follows the data, not the borders, so a company anywhere can fall under it. Every act of processing needs a lawful basis. People have enforceable rights over their own data, including access and erasure. A breach gets reported to the regulator within 72 hours. The biggest fines reach 20 million euros or 4 percent of worldwide annual turnover, whichever is higher. The rule that ties it all together is accountability: you have to show your work, with records, rather than just claim you complied.
Most teams meet GDPR the same way. A customer in Germany asks for a copy of everything you hold on them, and someone has to figure out, fast, where that data actually lives. Or a vendor has an incident on a Friday night and the 72-hour clock starts before anyone has read the contract. GDPR stays abstract right up until it gets concrete, and by then the time to have built the program is long past.
This guide walks through GDPR the way a practitioner has to hold it: who it covers, the principles underneath it, the lawful bases you process on, the rights people can exercise against you, who is responsible for what, when a risk assessment is required, how breach reporting works, when you need a Data Protection Officer, and what it costs to get it wrong.
Who GDPR applies to
The first mistake is assuming GDPR is an EU-companies problem. It applies based on whose data you process and what you do with it, not on where you are incorporated. There are two main triggers under the regulation's territorial scope.
The first is establishment. If your organization is established in the EU and processes personal data, GDPR applies, regardless of where the processing physically happens. The second is targeting. If you are outside the EU but you offer goods or services to people in the EU, or you monitor the behavior of people in the EU, GDPR reaches you. A US software company with no European office is covered the moment it markets to EU residents or tracks them with cookies and analytics.
Personal data is defined broadly. It is any information relating to an identified or identifiable person: a name, an email address, a device identifier, a location, an account number. A subset called special category data carries extra protection because of its sensitivity, and it gets its own rules below.
The core principles
GDPR is built on seven principles in Article 5. They are not a checklist you complete once. They are the standard every processing activity is measured against, and the last one means you have to be able to demonstrate the other six.
| Principle | What it requires |
|---|---|
| Lawfulness, fairness, transparency | Process on a valid legal basis, treat people fairly, and tell them clearly what you do with their data through a privacy notice. |
| Purpose limitation | Collect data for specified, explicit, legitimate purposes. Do not quietly reuse it for something new. |
| Data minimization | Collect only what is adequate, relevant, and necessary for the purpose. Review the fields you ask for. |
| Accuracy | Keep data accurate and up to date. Correct or erase what is wrong. |
| Storage limitation | Keep data only as long as the purpose needs it. Set retention schedules and delete on time. |
| Integrity and confidentiality | Protect data with appropriate security: encryption, access controls, and the measures the risk warrants. |
| Accountability | Be able to demonstrate compliance with all of the above through documentation, records, and audit trails. |
Accountability is the principle people underestimate. Doing the right thing is not enough under GDPR. You have to be able to prove you did it, with records that hold up when a regulator asks.
The lawful bases for processing
You cannot process personal data because you feel like it. Every processing activity must rest on one of six lawful bases in Article 6. Pick the basis before you process, document why it fits, and stick to it. Switching bases later because the first one stopped being convenient is a problem.
| Basis | When it fits |
|---|---|
| Consent | Marketing emails, cookies, tracking. Must be freely given, specific, informed, and unambiguous, and as easy to withdraw as to give. Use it only when no other basis works. |
| Contract | Processing genuinely necessary to deliver a contract the person is party to, such as fulfilling an order or running their account. |
| Legal obligation | Processing required by law, such as keeping tax records or meeting know-your-customer rules. Identify the specific requirement. |
| Vital interests | Protecting someone's life. Rarely used outside medical emergencies. |
| Public task | Processing for a task in the public interest or official authority. This is for public bodies. |
| Legitimate interests | Your genuine interest, weighed against the person's rights and expectations. The most flexible basis and the most challenged. It requires a documented balancing assessment, and it is not available to public authorities. |
Consent gets over-used. Teams reach for it as a default when contract or legitimate interests would be sounder and would not give the person an absolute right to pull the rug out later. Special category data, the sensitive subset such as health, biometric, or data revealing race or political views, needs more than an Article 6 basis. It also needs one of the additional conditions in Article 9, which are narrower, with explicit consent being the most common.
Data-subject rights
GDPR gives people enforceable rights over their own data, and the organization has to be built to honor them. The standard response window is one month, extendable to three for genuinely complex requests if you notify the person inside the first month. Requests are generally free.
| Right | What the person can do |
|---|---|
| Access (Art. 15) | Get a copy of their personal data plus information about how and why it is processed. Verify identity first. |
| Rectification (Art. 16) | Have inaccurate data corrected and incomplete data completed. |
| Erasure (Art. 17) | Have data deleted when consent is withdrawn, the data is no longer needed, or processing was unlawful. Known as the right to be forgotten. It is not absolute; legal obligations can override it. |
| Restriction (Art. 18) | Have processing paused, with the data kept but not used, while a dispute is resolved. |
| Portability (Art. 20) | Receive their data in a structured, machine-readable format, where processing is based on consent or contract and is automated. |
| Object (Art. 21) | Object to processing based on legitimate interests, and stop direct marketing outright, which is an absolute right. |
| Automated decisions (Art. 22) | Not be subject to a solely automated decision with legal or similarly significant effects, without human review, the ability to contest it, and an explanation. |
The access request is the one that exposes whether a program is real. You cannot hand over a copy of someone's data if you do not know where it all lives: the customer record, the email archive, the logs, the backups. The right to erasure carries the same test. You need the technical ability to delete across every system, not just the front-end record.
Controller versus processor
GDPR splits responsibility into two roles, and getting the labels right decides who carries which obligations. A controller decides why and how personal data is processed. A processor acts on the controller's instructions and does not decide the purpose. A company that collects customer data and decides what to do with it is the controller. The cloud vendor or analytics provider that handles that data on the company's behalf is the processor.
The controller carries primary accountability and is the one people exercise their rights against. The processor has direct obligations of its own, including security and breach reporting up to the controller. The two must sign a data processing agreement that meets Article 28, which sets out the subject matter, duration, and purpose of the processing and the processor's specific duties. Where two organizations jointly decide the purpose, they are joint controllers and have to be transparent about who does what.
When a DPIA is required
A Data Protection Impact Assessment, or DPIA, is a structured analysis of the privacy risk in a processing activity, done before you start. Article 35 makes it mandatory when processing is likely to result in a high risk to people's rights. That includes systematic and extensive profiling with significant effects, large-scale processing of special category data, systematic monitoring of public areas, the use of new high-risk technologies, and large-scale processing of children's data.
A DPIA describes the processing and the data flows, tests whether it is necessary and proportionate to the purpose, identifies the risks and rates them, and sets out the measures that reduce them. If high risk remains even after mitigation, you have to consult the supervisory authority before going live. Done early, a DPIA is also the cheapest way to catch a design problem before it is built into the product.
Breach notification and the 72-hour rule
A personal data breach is a security failure that leads to the destruction, loss, alteration, or unauthorized disclosure of or access to personal data. Articles 33 and 34 set the response, and the clock is short.
The controller must notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to people's rights and freedoms. The notification describes the breach, the categories and approximate number of people affected, the likely consequences, the measures taken, and the contact point for more information. If the breach is likely to result in a high risk, the controller must also tell the affected individuals without undue delay, in plain language, including what they should do to protect themselves.
Two practical points carry most of the weight. First, the 72 hours runs from awareness, which is why detection and an incident process matter as much as the report itself. Second, document the assessment even when you decide not to notify. The decision not to report is itself something you have to be able to defend.
Cross-border data transfers
Moving personal data outside the EU is restricted unless the destination provides adequate protection. The cleanest route is an adequacy decision, where the EU has formally recognized a country's protections, which removes the need for further safeguards. Where there is no adequacy decision, you need a transfer mechanism. Standard Contractual Clauses are the most common; they are an EU-approved contract template, paired with a transfer impact assessment of the destination country's laws. Binding Corporate Rules cover transfers inside a multinational group and require regulator approval. Limited one-off transfers can rely on the narrow derogations in Article 49, such as explicit consent or necessity for a contract.
When you need a DPO
A Data Protection Officer is an independent point of accountability for data protection inside an organization. Article 37 makes appointing one mandatory in three cases:
- The processing is carried out by a public authority or body.
- The core activities involve regular and systematic monitoring of people on a large scale.
- The core activities involve large-scale processing of special category data or data about criminal convictions and offenses.
The DPO advises on obligations, monitors compliance, acts as the contact point for the supervisory authority and for data subjects, and must be able to operate without a conflict of interest or pressure. Plenty of organizations that fall outside the triggers appoint one anyway, because it centralizes accountability in a single owner rather than scattering it across teams.
Penalties
GDPR enforcement has two fine tiers, and the figure is whichever of the two amounts is higher, so the percentage bites hardest on large organizations.
| Tier | Maximum | For |
|---|---|---|
| Lower tier | 10 million euros or 2% of total worldwide annual turnover | Breaches such as inadequate records, weak security, or a missing DPO where one was required. |
| Higher tier | 20 million euros or 4% of total worldwide annual turnover | Breaches of the core principles, the lawful basis rules, data-subject rights, or transfer rules. |
Fines are not the whole story. A supervisory authority can also order an organization to stop processing entirely, which for a business built on data can be heavier than any number. And the people whose data was mishandled can claim compensation for the harm.
Recent and pending changes
Two developments are worth tracking. In November 2025 the European Commission proposed a Digital Omnibus that would amend the GDPR itself, including streamlined record-keeping and breach-notification duties and a change in how cookie-consent rules are housed. It is moving through the EU legislative process and is not yet law, and it is the most significant pending change to the GDPR text. Separately, the EU-US Data Privacy Framework remains the principal route for transfers to the United States: the EU General Court upheld its adequacy decision on 3 September 2025, and that ruling is now under appeal to the Court of Justice.
A readiness checklist
Run this against your own program. Gaps here are where enforcement and access requests find you.
- You know whether GDPR applies to you, and why, under the territorial scope rules.
- Every processing activity has a documented lawful basis, recorded before processing began.
- You hold a record of processing activities mapping what data you have, why, and where it lives.
- Your privacy notice tells people clearly what you do with their data and how to exercise their rights.
- You can fulfill an access or erasure request across every system, including logs and backups, within one month.
- Every vendor that touches personal data has a signed data processing agreement meeting Article 28.
- A DPIA is completed for each high-risk processing activity before it goes live.
- You have an incident process that can detect a breach and report it inside 72 hours.
- You have assessed whether a DPO is mandatory and appointed one if so.
- Cross-border transfers rest on an adequacy decision or a valid transfer mechanism.
- Retention schedules exist and data is actually deleted when its purpose ends.
The organizations that come out ahead are the ones that built the program before they needed it. The ones that wait until the access request lands or the breach clock starts are doing the work under the worst possible conditions, and the records that prove compliance are exactly the records they never kept. The whole regime comes down to one habit, which is to show your work.
For the terms used throughout this guide, see the GDPR and data-privacy glossary.