Compliance Simplified LogoCompliance Simplified
GDPRDocsGDPROverview

GDPR Overview

Understand GDPR fundamentals, core principles, data subject rights, and what compliance requires.

Quick Check

Run Gap Assessment

Templates

Open Tools

Learning

Take Quiz

Start Here

  1. 1. Skim this overview for core principles and data subject rights.
  2. 2. Map your personal data flows and legal bases.
  3. 3. Use quick start to prioritize your first 30 days.
On this page (0)

GDPR: General Data Protection Regulation

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law. It sets strict rules for how organizations collect, store, process, and share personal data of individuals in the EU/EEA.

What is GDPR?

GDPR is a regulation enacted by the European Union in 2016 and enforced since 25 May 2018. It applies to any organization that processes personal data of individuals located in the EU or EEA, regardless of where the organization is based.

Key Benefits of Compliance

  • Legal Protection: Avoid fines of up to €20 million or 4% of annual global turnover
  • Customer Trust: Demonstrate respect for user privacy and data rights
  • Market Access: Required for doing business in the EU/EEA
  • Data Hygiene: Forces better data management and security practices
  • Competitive Advantage: Privacy-conscious customers prefer GDPR-compliant vendors
  • Reduced Risk: Minimizes data breach impact through built-in safeguards

Core Principles (Article 5)

GDPR is built on seven foundational principles:

1. Lawfulness, Fairness, and Transparency

  • Process data only with a valid legal basis
  • Be fair in how you handle personal data
  • Tell people clearly what you do with their data

2. Purpose Limitation

  • Collect data only for specified, explicit, and legitimate purposes
  • Don't reuse data for incompatible purposes without additional consent

3. Data Minimization

  • Collect only the data you actually need
  • Don't gather "nice to have" information without justification

4. Accuracy

  • Keep personal data accurate and up to date
  • Correct or delete inaccurate data without delay

5. Storage Limitation

  • Don't keep personal data longer than necessary
  • Define and enforce retention periods for each data category

6. Integrity and Confidentiality

  • Protect data against unauthorized access, loss, or destruction
  • Use appropriate technical and organizational measures

7. Accountability

  • Be able to demonstrate compliance with all principles
  • Maintain records and documentation of processing activities

Legal Bases for Processing (Article 6)

You must have at least one legal basis to process personal data:

| Legal Basis | When to Use | Example | |---|---|---| | Consent | User freely gives specific, informed agreement | Marketing emails, cookies | | Contract | Processing is necessary to fulfill a contract | Delivering a purchased product | | Legal Obligation | Required by EU or member state law | Tax record keeping | | Vital Interests | Protecting someone's life | Emergency medical data sharing | | Public Interest | Task carried out in the public interest | Public health research | | Legitimate Interest | Necessary for your legitimate business interests | Fraud prevention, network security |

Data Subject Rights

GDPR grants individuals powerful rights over their personal data:

Right to be Informed (Articles 13-14)

  • Provide clear privacy notices explaining data processing
  • Include identity of controller, purposes, legal basis, retention periods

Right of Access (Article 15)

  • Individuals can request a copy of their personal data
  • Respond within one month of receiving the request

Right to Rectification (Article 16)

  • Individuals can request correction of inaccurate data
  • Must rectify without undue delay

Right to Erasure / "Right to be Forgotten" (Article 17)

  • Individuals can request deletion of their data
  • Applies when data is no longer necessary or consent is withdrawn

Right to Restrict Processing (Article 18)

  • Individuals can request that processing be limited
  • Data can be stored but not actively processed

Right to Data Portability (Article 20)

  • Individuals can receive their data in a structured, machine-readable format
  • Can transmit data to another controller

Right to Object (Article 21)

  • Individuals can object to processing based on legitimate interest
  • Must stop processing unless compelling grounds exist

Rights Related to Automated Decision Making (Article 22)

  • Individuals can opt out of solely automated decisions with legal effects
  • Includes profiling that produces legal or significant effects

Key Roles

Data Controller

  • Determines the purposes and means of processing personal data
  • Bears primary responsibility for compliance
  • Must implement appropriate technical and organizational measures

Data Processor

  • Processes personal data on behalf of the controller
  • Must follow the controller's instructions
  • Requires a Data Processing Agreement (DPA)

Data Protection Officer (DPO)

  • Required for public authorities, large-scale monitoring, or special category data processing
  • Advises on GDPR obligations and monitors compliance
  • Must be independent and report to highest management level

Supervisory Authority

  • Each EU member state has a national data protection authority
  • Handles complaints, investigations, and enforcement actions
  • Lead authority determined by main establishment of the controller

GDPR vs Other Frameworks

| Aspect | GDPR | ISO 27001 | SOC 2 | |---|---|---|---| | Scope | Personal data privacy | Information security management | Service organization controls | | Geography | EU/EEA focused, global reach | International | Primarily US/global | | Type | Legal regulation | Certification standard | Attestation report | | Focus | Data subject rights | Risk management | Trust services criteria | | Enforcement | Regulatory fines | Certification body audits | CPA attestation | | Overlap | Security measures (Art. 32) | Many controls support GDPR | Privacy criteria align |

Implementation Approach

Phase 1: Discovery (Months 1-2)

  1. Data mapping — identify all personal data flows
  2. Legal basis audit — determine lawful basis for each processing activity
  3. Gap analysis — assess current state vs. GDPR requirements
  4. Stakeholder engagement — educate leadership on obligations

Phase 2: Foundation (Months 2-4)

  1. Privacy policy updates and creation
  2. Data Processing Agreements with all processors
  3. Records of Processing Activities (ROPA) documentation
  4. Consent management systems implementation

Phase 3: Controls and Processes (Months 4-6)

  1. Data subject rights handling procedures
  2. Data breach notification processes (72-hour requirement)
  3. Data Protection Impact Assessments (DPIA) framework
  4. Technical security measures implementation

Phase 4: Ongoing Compliance (Month 6+)

  1. Training and awareness programs for all staff
  2. Regular audits and compliance reviews
  3. Incident response testing and updates
  4. Documentation maintenance and updates

Common Challenges

1. Data Mapping Complexity

  • Challenge: Understanding all data flows across systems
  • Solution: Start with a department-by-department survey, then map system integrations

2. Consent Management

  • Challenge: Tracking and managing consent across touchpoints
  • Solution: Implement a centralized consent management platform

3. Cross-Border Transfers

  • Challenge: Transferring data outside the EU/EEA legally
  • Solution: Use Standard Contractual Clauses (SCCs) or adequacy decisions

4. Data Subject Requests

  • Challenge: Responding to access, deletion, and portability requests within deadlines
  • Solution: Build automated workflows with clear escalation paths

Success Factors

  1. Leadership commitment to privacy as a core value
  2. Data mapping that covers all processing activities
  3. Privacy by design embedded in product development
  4. Regular training for all employees handling personal data
  5. Documented processes for data subject rights and breach response
  6. Ongoing monitoring and continuous improvement

Next Steps

Ready to start your GDPR compliance journey?

This overview provides the foundation for understanding GDPR. For detailed implementation guidance, explore our comprehensive documentation.

Need a quick check instead of more reading?

Run Gap AssessmentOpen Tools