If you handle the personal data of anyone in Europe, GDPR is probably the most important privacy law you need to understand — and it applies whether your business sits in Berlin, Boston or Bangalore. This guide explains what GDPR compliance actually means, who it applies to, the principles and rights it is built on, and the practical steps to meet it.
We’ll keep it concrete and jargon-light, and link out to deeper guides on each topic so you can go as far down the rabbit hole as you need.
What is GDPR, in plain terms?
The General Data Protection Regulation (GDPR) is the European Union’s data protection law — formally Regulation (EU) 2016/679. It took effect on 25 May 2018, replacing the 1995 Data Protection Directive, and it sets out how organisations must collect, use, store and protect the personal data of people in the EU and the European Economic Area (EEA).
GDPR compliance simply means meeting those obligations: having a valid reason to process personal data, being transparent about how you use it, keeping it secure, honouring people’s rights over their own information, and being able to prove all of this on request. It is less a one-off certificate than an operating standard — a way of running your business so that personal data is handled lawfully and responsibly by default.
What counts as “personal data”?
GDPR protects personal data: any information relating to an identified or identifiable living person (the “data subject”). That is a deliberately broad definition. It covers the obvious — names, email addresses, phone numbers, postal addresses — but also online identifiers such as IP addresses, cookie IDs, device identifiers, and location data, because these can single out an individual even without a name attached.
A subset known as special category data is treated with extra care: data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic and biometric data, health information, and data about a person’s sex life or sexual orientation. Processing this kind of data is prohibited unless a specific additional condition applies. If you want to go deeper, see our guide on what is personal data under GDPR.
Who has to comply with GDPR?
One of the most misunderstood points about GDPR is geography. The law has extraterritorial reach: under Article 3 it applies not only to organisations established in the EU, but to any organisation anywhere in the world that either offers goods or services to people in the EU/EEA or monitors their behaviour — for example through analytics, advertising or tracking.
In practice that means a SaaS company in the United States, an e-commerce store in India, or a consultancy in Singapore can all be caught by GDPR the moment they have EU customers, users or website visitors. If you are unsure where you stand, our explainer on who GDPR applies to walks through the scope tests in detail, and GDPR for US companies covers the cross-border angle.
Free resource
The Ultimate Guide to GDPR
A practical, plain-English guide to scoping, implementing and proving GDPR compliance.
The 7 principles at the heart of GDPR
Article 5 sets out seven principles that underpin everything else in the regulation. Every decision you make about personal data should trace back to them.
| Principle | What it means in practice |
|---|---|
| Lawfulness, fairness & transparency | Process data only with a valid legal basis, never deceptively, and tell people clearly what you do with their data. |
| Purpose limitation | Collect data for specified, explicit purposes and don’t reuse it in ways that are incompatible with those purposes. |
| Data minimisation | Collect only the data you actually need — nothing “just in case.” |
| Accuracy | Keep data correct and up to date; correct or erase inaccurate data without delay. |
| Storage limitation | Keep data only as long as you need it, then delete or anonymise it. |
| Integrity & confidentiality | Protect data with appropriate security — encryption, access controls, and resilience against breaches. |
| Accountability | Be able to demonstrate compliance with all of the above through records, policies and evidence. |
Accountability is the principle that turns GDPR from a checklist into a discipline: it is not enough to comply, you must be able to prove it. Our guide to the 7 principles of GDPR explores each one with examples.
You need a lawful basis to process data
Under Article 6, you cannot process personal data simply because it is convenient. You must identify one of six lawful bases before you begin, and document which one applies to each activity.
| Lawful basis | Typical use |
|---|---|
| Consent | Marketing emails, optional cookies — freely given, specific, informed and revocable. |
| Contract | Processing needed to deliver a product or service the person asked for. |
| Legal obligation | Retaining records to satisfy tax, employment or other laws. |
| Vital interests | Protecting someone’s life — rare, mainly emergencies. |
| Public task | Functions carried out in the public interest or under official authority. |
| Legitimate interests | Reasonable business uses that don’t override the person’s rights — requires a balancing test. |
Consent gets the most attention, but it is often not the easiest basis to rely on because it must be freely given and just as easy to withdraw. See what counts as valid consent for the detail.
The rights GDPR gives individuals
GDPR shifts control toward the individual by granting eight data subject rights. You must have processes to honour them, usually within one month of a request:
- The right to be informed about how their data is used.
- The right of access — to obtain a copy of their data (a subject access request).
- The right to rectification of inaccurate data.
- The right to erasure — the right to be forgotten.
- The right to restrict processing.
- The right to data portability — to receive and reuse their data elsewhere.
- The right to object to processing, including direct marketing.
- Rights related to automated decision-making and profiling.
Failing to handle these requests properly is one of the most common triggers for complaints to regulators, so building a reliable workflow is essential rather than optional.
Key roles and obligations
GDPR distinguishes between a data controller — the organisation that decides why and how data is processed — and a data processor, which processes data on the controller’s behalf (think cloud providers and SaaS vendors). The distinction matters because it determines who is responsible for what; see controller vs processor.
Beyond roles, compliant organisations typically maintain a Record of Processing Activities (RoPA) under Article 30, run a Data Protection Impact Assessment (DPIA) for high-risk processing under Article 35, put a Data Processing Agreement (DPA) in place with every processor, and — where required — appoint a Data Protection Officer. Crucially, you must report a qualifying personal data breach to your supervisory authority within 72 hours of becoming aware of it.
What happens if you get it wrong?
GDPR is enforced by national supervisory authorities (such as Ireland’s DPC or France’s CNIL), and the penalties are deliberately significant. Fines are structured in two tiers:
- Lower tier: up to €10 million or 2% of total worldwide annual turnover, whichever is higher — for issues such as inadequate records or failing to notify a breach.
- Higher tier: up to €20 million or 4% of total worldwide annual turnover, whichever is higher — for breaching the core principles, lawful basis requirements, or data subject rights.
Because the cap is tied to global turnover, the largest fines have reached hundreds of millions of euros. But the financial penalty is often not the worst of it: reputational damage, lost enterprise deals, and the cost of remediation frequently dwarf the fine itself. Our breakdown of GDPR fines and penalties covers how regulators decide amounts.
How to become GDPR compliant
Reaching compliance is methodical rather than mysterious. Most organisations work through the same core steps:
- Map your data. Document what personal data you hold, where it lives, why you have it, and who you share it with.
- Establish a lawful basis for every processing activity and record it.
- Update your privacy notice so people know what you do with their data.
- Fix consent and cookies. Make consent genuine and get cookie consent right.
- Tighten security — encryption, access control, monitoring — and put DPAs in place with processors.
- Enable data subject rights with a documented request workflow.
- Prepare for breaches with a 72-hour response plan, and maintain compliance through regular reviews.
For a structured walkthrough, follow our step-by-step guide to becoming GDPR compliant and the free GDPR compliance checklist.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
How ISpectra helps you get — and stay — compliant
GDPR rewards organisations that treat data protection as an ongoing practice, not a box-ticking exercise. That is exactly where a specialist partner earns its keep. ISpectra Technologies helps companies map their data, choose and document lawful bases, draft privacy notices and processor agreements, implement the security controls Article 32 expects, and stand up the breach-response and data-subject-request processes that keep you compliant after day one. Because GDPR overlaps heavily with frameworks like ISO 27001 and SOC 2, we can also help you sequence them so you never pay twice for the same work.