GDPR
General Data Protection Regulation
The European Union's landmark data protection regulation setting the global standard for privacy rights and obligations.
Overview
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, replacing the 1995 Data Protection Directive. It entered into force on May 25, 2018, and applies to any organisation that processes the personal data of EU/EEA residents, regardless of where that organisation is based. GDPR has become the de facto global benchmark for data privacy legislation, influencing laws from Brazil's LGPD to India's DPDP Act.
At its core, GDPR establishes seven foundational principles for lawful personal data processing: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Organisations must identify a valid legal basis for every processing activity, document their processing operations in a Record of Processing Activities (RoPA), and embed privacy protections into systems and processes from the outset through Privacy by Design and by Default.
Enforcement is carried out by independent supervisory authorities (Data Protection Authorities) in each member state. Fines can reach €20 million or 4% of global annual turnover for the most serious infringements. Since 2018, European DPAs have collectively issued over €4 billion in fines, demonstrating that GDPR enforcement is substantive and growing.
Scope & Applicability
GDPR applies to any organisation — public or private, in the EU or outside it — that either (a) is established in the EU/EEA and processes personal data in the context of that establishment, or (b) offers goods or services to, or monitors the behaviour of, individuals in the EU/EEA. Personal data means any information relating to an identified or identifiable natural person. Special categories of data (health, biometric, genetic, political opinions, religious beliefs, racial or ethnic origin, sexual orientation, trade union membership) are subject to additional restrictions and require explicit consent or another specific legal basis.
Key Principles
- 1Lawfulness, Fairness and Transparency — processing must have a valid legal basis and be transparent to individuals
- 2Purpose Limitation — data collected for specified, explicit, and legitimate purposes must not be processed incompatibly
- 3Data Minimisation — only data that is adequate, relevant, and limited to what is necessary may be collected
- 4Accuracy — personal data must be accurate and, where necessary, kept up to date
- 5Storage Limitation — data must not be kept in identifiable form longer than necessary for its purpose
- 6Integrity and Confidentiality — appropriate security measures must protect data against unauthorised access, loss, or destruction
- 7Accountability — controllers are responsible for demonstrating compliance with all GDPR principles
Data Subject Rights
Individuals can request confirmation of whether their data is being processed and receive a copy, along with details of the processing such as purposes, categories, recipients, and retention periods.
Individuals can request correction of inaccurate personal data and completion of incomplete data without undue delay.
Individuals can request deletion of their data when it is no longer necessary, consent is withdrawn, or there is no overriding legitimate interest to retain it.
Individuals can request that processing be restricted in certain circumstances, such as when accuracy is contested or an objection is pending.
Individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller where processing is based on consent or contract.
Individuals can object to processing based on legitimate interests or for direct marketing; direct marketing objections must always be honoured.
Individuals have the right not to be subject to solely automated decisions that produce significant legal or similarly significant effects, and to request human review.
Where processing is based on consent, individuals can withdraw it at any time, and withdrawal must be as easy as giving it.
Business Obligations
Record of Processing Activities (RoPA)
Controllers and processors with 250+ employees (or those processing high-risk data) must maintain detailed records of all processing activities under Article 30.
Data Protection Impact Assessment (DPIA)
A DPIA is mandatory before carrying out processing likely to result in high risk to individuals, such as large-scale profiling, systematic surveillance, or processing special category data.
Data Protection Officer (DPO) Appointment
A DPO must be appointed by public authorities, organisations carrying out large-scale systematic monitoring, and organisations processing special category data at scale.
Privacy by Design and by Default
Technical and organisational measures must embed data protection into processing systems and business practices from design through to default settings.
Data Processing Agreements
Controllers must put a written contract in place with every processor binding them to GDPR obligations under Article 28.
Breach Notification
Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware. Individuals must be notified without undue delay when the breach is likely to result in high risk.
Legal Basis Documentation
A lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) must be identified, documented, and communicated to data subjects for every processing activity.
Cross-Border Transfer Rules
Transferring personal data outside the EU/EEA requires one of the following safeguards: an adequacy decision by the European Commission confirming the destination country offers equivalent protection; Standard Contractual Clauses (SCCs) adopted by the Commission; Binding Corporate Rules (BCRs) approved by a lead DPA; or specific derogations such as explicit consent or necessity for a contract. Following the Schrems II ruling in 2020, organisations must conduct Transfer Impact Assessments (TIAs) to verify that destination-country law does not undermine SCC protections. The EU–US Data Privacy Framework (2023) currently provides an adequacy pathway for US transfers.
Breach Notification Requirements
72 hours from becoming aware of the breach
The competent supervisory authority (lead DPA for cross-border processing under the one-stop-shop mechanism)
Without undue delay when the breach is likely to result in a high risk to their rights and freedoms
How TruePrivacy Helps
Purpose-built tools for every GDPR obligation.
TruePrivacy continuously discovers data assets and auto-populates Article 30 records, keeping your RoPA accurate as systems change.
Guided DPIA templates aligned with EDPB guidance help teams assess and document risk before launching new processing activities.
Automated breach detection and triage workflows generate DPA notification reports within hours, ensuring you never miss the 72-hour window.
A centralised portal tracks every data subject request, enforces the 30-day deadline, and automates identity verification and data retrieval.
Country-level legal analysis and TIA templates help you document the lawfulness of every cross-border transfer under the Schrems II framework.
A dedicated DPO dashboard consolidates RoPA, DPIAs, breach log, DSR tracker, and DPA correspondence in one place.
Ready to achieve GDPR compliance?
TruePrivacy automates your compliance workflows so your team can focus on what matters.