What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that came into effect on 25 May 2018. It replaced the 1995 EU Data Protection Directive and fundamentally changed how organisations collect, store, process and use the personal data of individuals in the European Union and European Economic Area.
GDPR is not just a European concern. It applies to any organisation anywhere in the world that processes personal data of EU residents — making it one of the most far-reaching privacy laws ever enacted. Companies from the United States, Asia, Australia and beyond must comply if they offer goods or services to EU residents or monitor their behaviour.
Learn more about the history of EU data protection law →
Why Was GDPR Created?
By the mid-2010s, the digital economy had transformed how personal data was collected and used. Social media platforms, e-commerce giants and data brokers were amassing vast quantities of personal information — often without meaningful consent or transparency. The 1995 Directive was written before the modern internet existed and was no longer fit for purpose.
The European Commission spent four years drafting GDPR, which was formally adopted in April 2016 and gave organisations two years to prepare before enforcement began in May 2018. The regulation was designed to give EU citizens control over their personal data, harmonise data protection laws across member states, and establish serious consequences for non-compliance — including fines of up to €20 million or 4% of global annual turnover, whichever is higher.
| Enacted by | European Union |
| Effective date | 25 May 2018 |
| Mandatory or Voluntary | Mandatory — legal obligation |
| Geography | EU/EEA — applies globally to any org processing EU resident data |
| Maximum fine | €20 million or 4% of global annual turnover (whichever is higher) |
| Official Resource | gdpr.eu |
The Seven Principles of GDPR
Article 5 of GDPR sets out seven core principles that must underpin all personal data processing. These principles are the foundation of GDPR compliance.
| Principle | What it means |
|---|---|
| Lawfulness, fairness and transparency | Data must be processed lawfully, fairly and in a transparent manner. Individuals must know what you are doing with their data. |
| Purpose limitation | Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. |
| Data minimisation | Data collected must be adequate, relevant and limited to what is necessary for the purpose. Collect only what you need. |
| Accuracy | Personal data must be accurate and kept up to date. Inaccurate data must be erased or rectified without delay. |
| Storage limitation | Data must not be kept longer than necessary for the purpose for which it was collected. Retention policies are essential. |
| Integrity and confidentiality | Data must be processed with appropriate security — protecting against unauthorised access, loss or destruction. |
| Accountability | The data controller is responsible for demonstrating compliance with all of the above principles. Document everything. |
Six Lawful Bases for Processing
Under GDPR, every instance of personal data processing must have a lawful basis. There are six lawful bases — organisations must identify and document which basis applies before processing begins.
| Lawful Basis | When it applies |
|---|---|
| Consent | The individual has given clear, specific, informed and unambiguous consent. Must be freely given and withdrawable at any time. |
| Contract | Processing is necessary to perform a contract with the individual or to take steps at their request before entering a contract. |
| Legal obligation | Processing is necessary to comply with a legal obligation — such as tax reporting or employment law requirements. |
| Vital interests | Processing is necessary to protect someone’s life. Applies in emergencies where consent cannot reasonably be obtained. |
| Public task | Processing is necessary to perform a task in the public interest or exercise official authority. Primarily applies to public bodies. |
| Legitimate interests | Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the individual’s rights. |
Individual Rights Under GDPR
GDPR grants individuals eight distinct rights over their personal data. Organisations must have processes in place to respond to these rights — typically within one calendar month.
| Right | What individuals can demand |
|---|---|
| Right to be informed | Individuals must be told how their data is used — through privacy notices at the point of collection. |
| Right of access | Individuals can request a copy of all personal data held about them (Subject Access Request). |
| Right to rectification | Individuals can request correction of inaccurate or incomplete personal data. |
| Right to erasure | Also known as the “right to be forgotten” — individuals can request deletion of their personal data in certain circumstances. |
| Right to restrict processing | Individuals can request that processing of their data is paused — for example while accuracy is disputed. |
| Right to data portability | Individuals can request their data in a machine-readable format to transfer to another service provider. |
| Right to object | Individuals can object to processing based on legitimate interests or for direct marketing purposes. |
| Rights related to automated decision-making | Individuals have the right not to be subject to decisions made solely by automated processing that significantly affect them. |
Key GDPR Requirements
The following table covers the major compliance requirements organisations must address under GDPR.
| Requirement | Description | Article |
|---|---|---|
| Lawful basis for processing | Every processing activity must have an identified and documented lawful basis | Art. 6 |
| Privacy notice | Clear, plain-language notice provided at point of data collection | Art. 13–14 |
| Records of processing activities | Written records of all processing activities maintained (mandatory for orgs with 250+ employees or processing high-risk data) | Art. 30 |
| Data Protection by Design | Privacy and data protection built into systems and processes from the outset — not added on later | Art. 25 |
| Data Protection Impact Assessment | DPIA required before processing that is likely to result in high risk to individuals | Art. 35 |
| Data Protection Officer | DPO mandatory for public authorities, organisations processing large-scale sensitive data or systematic monitoring | Art. 37–39 |
| Breach notification — Supervisory Authority | Personal data breaches must be reported to the relevant supervisory authority within 72 hours of discovery | Art. 33 |
| Breach notification — Individuals | If a breach is likely to result in high risk to individuals, those individuals must also be notified without undue delay | Art. 34 |
| Data Processing Agreements | Written contracts required with all third-party processors specifying how data must be handled | Art. 28 |
| International data transfers | Transfers of personal data outside the EU/EEA only permitted to countries with adequate protection or using approved mechanisms (SCCs, BCRs) | Art. 44–49 |
| Consent management | Where consent is the lawful basis, it must be freely given, specific, informed and unambiguous — and as easy to withdraw as to give | Art. 7 |
| Special category data | Higher protection required for health, biometric, racial/ethnic, political, religious, sexual orientation data | Art. 9 |
| Subject access requests | Organisations must respond to SARs within one calendar month — free of charge in most cases | Art. 15 |
| Retention and deletion | Data retention periods must be defined and documented — data deleted or anonymised when no longer needed | Art. 5(1)(e) |
| Technical and organisational measures | Appropriate security measures implemented — encryption, pseudonymisation, access controls, resilience | Art. 32 |
GDPR Enforcement and Fines
GDPR established a two-tier fine structure based on the severity of the violation.
| Tier | Maximum Fine | Applies to violations of |
|---|---|---|
| Lower tier | €10 million or 2% of global annual turnover | Data processing records, processor obligations, breach notification, DPIAs, DPO requirements |
| Upper tier | €20 million or 4% of global annual turnover | Core data protection principles, lawful basis, individual rights, international transfer rules |
Notable enforcement actions include Meta (€1.2 billion, 2023), Amazon (€746 million, 2021) and WhatsApp (€225 million, 2021) — demonstrating that regulators are willing to pursue large fines against major technology companies.
Securitora Assessment
GDPR is non-negotiable for any organisation that handles personal data of EU residents — regardless of where the organisation is based. The regulation has fundamentally raised the bar for data protection globally, with many countries using it as a model for their own privacy laws. The 72-hour breach notification requirement and the right to erasure are the two requirements that most organisations find operationally challenging — both require mature processes and clear ownership.
| Recommended for | Any organisation processing personal data of EU/EEA residents |
| Difficulty to implement | Medium to High — requires legal, technical and organisational changes |
| Best used with | ISO 27001 · CCPA · ISO 27701 (Privacy Information Management) |
| Official resource | gdpr.eu → |