What Is GDPR? A Complete Guide to GDPR Compliance
Quick Answer
GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law that governs how organizations collect, process, store, and share personal data of individuals in the European Economic Area (EEA).
What Is GDPR?
The General Data Protection Regulation (GDPR) is the EU's landmark data protection law that took effect on May 25, 2018. It replaced the 1995 Data Protection Directive and established a unified framework for data protection across all EU/EEA member states. GDPR is widely considered the most comprehensive data protection law in the world and has influenced similar legislation globally.
Key Takeaways
- GDPR applies to ANY organization processing personal data of EU/EEA residents — regardless of where the company is located
- Fines up to 4% of global annual revenue or EUR 20 million (whichever is higher)
- Seven key principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability
- Grants individuals strong rights: access, erasure, portability, objection, and more
- Requires a legal basis for every data processing activity (consent, contract, legitimate interest, etc.)
Who Does GDPR Apply To?
GDPR has extraterritorial scope — it applies based on whose data you process, not where your company is located. A US company with no physical presence in the EU must still comply if it processes EU residents' personal data.
| Scenario | GDPR Applies? | Why |
|---|---|---|
| EU company processing EU customer data | Yes | Established in the EU, processing personal data |
| US company selling to EU customers | Yes | Offering goods/services to EU residents |
| US company monitoring EU user behavior | Yes | Monitoring behavior of EU residents (analytics, tracking) |
| US company with only US customers | No | No EU personal data processing |
| Non-EU company with EU employees | Yes | Processing employee personal data of EU residents |
| Company processing anonymized EU data | No | Truly anonymized data is not personal data under GDPR |
The Seven GDPR Principles
- Lawfulness, Fairness, and Transparency: Processing must have a legal basis and be transparent to data subjects
- Purpose Limitation: Data collected for specified, explicit, and legitimate purposes only
- Data Minimization: Only collect data that is adequate, relevant, and limited to what's necessary
- Accuracy: Personal data must be accurate and kept up to date
- Storage Limitation: Data kept only as long as necessary for the stated purpose
- Integrity and Confidentiality: Appropriate security measures to protect personal data
- Accountability: The controller must demonstrate compliance with all principles
Key GDPR Concepts
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person (name, email, IP address, location data, etc.) |
| Data Controller | The entity that determines the purposes and means of processing personal data |
| Data Processor | The entity that processes personal data on behalf of the controller |
| Data Subject | The individual whose personal data is being processed |
| Processing | Any operation on personal data: collection, storage, use, disclosure, erasure, etc. |
| Lawful Basis | The legal justification for processing (consent, contract, legitimate interest, legal obligation, vital interests, public task) |
| DPO | Data Protection Officer — required for certain organizations |
The Six Lawful Bases for Processing
Every processing activity must have one of six lawful bases. The most commonly used for businesses are consent, contractual necessity, and legitimate interest.
Six Lawful Bases for Processing
Choose the appropriate lawful basis before any data processing begins
Consent
Freely given, specific, informed, unambiguous indication of wishes
Contract
Processing necessary for performing a contract with the data subject
Legal Obligation
Processing necessary to comply with a legal obligation
Vital Interests
Processing necessary to protect someone's life
Public Task
Processing necessary for a task in the public interest
Legitimate Interest
Processing necessary for legitimate interests (balanced against data subject rights)
Data Subject Rights
GDPR grants individuals strong rights over their personal data. For a detailed guide, see our article on GDPR data subject rights.
- Right to Access: Request copies of personal data being processed
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure (Right to Be Forgotten): Request deletion of personal data
- Right to Restrict Processing: Request limitation of processing activities
- Right to Data Portability: Receive data in a machine-readable format
- Right to Object: Object to processing based on legitimate interest or direct marketing
- Rights Related to Automated Decision-Making: Not be subject to solely automated decisions with legal effects
GDPR Penalties
EUR 20M
Maximum Fine (or 4% Revenue)
Whichever is higher, for the most serious violations
EUR 10M
Lower Tier (or 2% Revenue)
For less severe violations (record-keeping, DPO failures)
EUR 1.2B
Largest Fine to Date
Meta (2023) — illegal EU-US data transfers
2,000+
Enforcement Actions
Since GDPR took effect in 2018
Getting Started with GDPR
GDPR Compliance Roadmap
Map your data
Identify what personal data you collect, where it's stored, how it flows, and who has access. Create a Record of Processing Activities (ROPA).
Determine your lawful bases
For each processing activity, identify and document the lawful basis. Consent, contract, and legitimate interest are most common for businesses.
Update your privacy policy
Create a GDPR-compliant privacy notice that's clear, specific, and accessible. Must include processing purposes, lawful bases, retention periods, and data subject rights.
Implement data subject rights processes
Set up procedures to handle access requests, deletion requests, and other data subject rights within required timelines (typically 1 month).
Implement security measures
Apply appropriate technical and organizational measures to protect personal data — encryption, access controls, pseudonymization.
Address international transfers
If transferring data outside the EU/EEA, implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions, etc.).
Does GDPR apply to my US company?
If you process personal data of EU/EEA residents — whether through selling products/services to EU customers, monitoring EU user behavior (analytics), or employing EU residents — GDPR applies. See our detailed guide on GDPR for US companies.
What's the difference between GDPR and CCPA?
GDPR is an EU regulation; CCPA/CPRA is a California state law. GDPR is broader in scope, covers more rights, and has higher penalties. However, both regulate how personal data is collected and used. See our GDPR vs CCPA comparison.
Do I need a Data Protection Officer?
A DPO is required if: (1) you're a public authority, (2) your core activities involve large-scale systematic monitoring, or (3) you process special category data on a large scale. Many companies appoint a DPO voluntarily. See our DPO guide.
Can I transfer EU data to the US?
Yes, but you need appropriate safeguards. The EU-US Data Privacy Framework (established 2023) provides a mechanism for certified companies. Standard Contractual Clauses (SCCs) are the most common alternative. The key is ensuring equivalent data protection.
What counts as personal data under GDPR?
Any information that can directly or indirectly identify a natural person: names, email addresses, phone numbers, IP addresses, cookie identifiers, location data, online identifiers, and even pseudonymized data that could be re-linked to an individual.
Find GDPR Compliance Tools
Compare GDPR compliance software, consent management platforms, and data protection tools.
Browse GDPR Tools