The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It sets binding rules for how organizations collect, use, store, share, and protect the personal data of individuals in the EU and the wider European Economic Area (EEA). Adopted on 27 April 2016, it has applied directly across all EU member states since 25 May 2018, replacing the 1995 Data Protection Directive.

The GDPR applies to any organization that processes the personal data of people in the EU/EEA — including companies based outside the EU that offer goods or services to, or monitor the behavior of, people in the region. It matters because non-compliance carries some of the steepest penalties in data protection law: fines of up to €20 million or 4% of global annual turnover, whichever is higher.

What is the GDPR?

The GDPR is Regulation (EU) 2016/679, a directly applicable EU law that protects natural persons with regard to the processing of their personal data. As a regulation (not a directive), it applies uniformly across all EU member states without requiring national implementing legislation, though member states retain some flexibility in specific areas.

It covers personal data — any information relating to an identified or identifiable living individual — and regulates the activities of two main actors:

  • Controllers — those who determine the purposes and means of processing.
  • Processors — those who process data on a controller’s behalf.

Special categories of data (e.g. health, biometric, racial or ethnic origin, religious belief, sexual orientation) receive heightened protection under Article 9.

Who must comply with the GDPR?

The GDPR’s territorial scope is set by Article 3 and reaches well beyond EU borders. It applies to:

  • Establishment test (Art. 3(1)): Organizations with an establishment in the EU that process personal data in the context of that establishment’s activities — regardless of whether the processing itself happens inside or outside the EU.
  • Targeting test (Art. 3(2)): Organizations not established in the EU, where they (a) offer goods or services to people in the EU (paid or free), or (b) monitor the behavior of people in the EU.

In practice this means a business anywhere in the world can fall under the GDPR if it markets to, or tracks, individuals located in the EU/EEA. Non-EU controllers and processors caught by the targeting test must generally appoint an EU representative under Article 27.

What are the GDPR's core principles?

Article 5 sets out seven principles that govern all processing of personal data:

  • Lawfulness, fairness and transparency — processing must have a valid legal basis and be clear to individuals.
  • Purpose limitation — data is collected for specified, explicit, legitimate purposes and not used incompatibly.
  • Data minimisation — collect only what is adequate, relevant, and necessary.
  • Accuracy — keep data accurate and up to date.
  • Storage limitation — keep data in identifiable form no longer than necessary.
  • Integrity and confidentiality — ensure appropriate security against unauthorized or unlawful processing and accidental loss.
  • Accountability — the controller must be able to demonstrate compliance with all of the above.

Processing also requires a lawful basis under Article 6: consent, contract, legal obligation, vital interests, public task/official authority, or legitimate interests.

What rights do individuals have under the GDPR?

The GDPR grants data subjects a set of enforceable rights (Chapter 3, Articles 12–22):

  • Right of access (Art. 15) — obtain confirmation and a copy of their data.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data.
  • Right to erasure / ‘right to be forgotten’ (Art. 17).
  • Right to restriction of processing (Art. 18).
  • Right to data portability (Art. 20) — receive data in a structured, machine-readable format.
  • Right to object (Art. 21) — including to direct marketing.
  • Rights related to automated decision-making and profiling (Art. 22).

Controllers must generally respond to requests without undue delay and within one month, extendable by two further months for complex requests.

What are the key dates for the GDPR?

  • 27 April 2016 — Regulation (EU) 2016/679 adopted by the European Parliament and Council.
  • 24 May 2016 — entered into force (20 days after publication in the Official Journal).
  • 25 May 2018 — date of application; the GDPR became enforceable across the EU/EEA, repealing the 1995 Data Protection Directive (95/46/EC).

The two-year gap between entry into force and application gave organizations a transition period to prepare. There is no separate “phase-in” of obligations — all requirements applied from 25 May 2018.

What are the penalties for GDPR non-compliance?

Article 83 establishes a two-tier administrative fine structure, with the amount calculated as the higher of a fixed sum or a percentage of worldwide turnover:

  • Lower tier (Art. 83(4)) — up to €10 million or 2% of total worldwide annual turnover of the preceding financial year. Applies to obligations such as records of processing, data protection by design, and breach notification failures.
  • Higher tier (Art. 83(5)) — up to €20 million or 4% of total worldwide annual turnover. Applies to infringements of the basic principles, conditions for consent, data subject rights, and rules on international transfers.

Fines must be “effective, proportionate and dissuasive,” and supervisory authorities weigh factors including the nature, gravity, and duration of the infringement, whether it was intentional, and mitigation efforts. Individuals can also seek compensation for material or non-material damage (Art. 82), and member states may impose additional national penalties.

How should organizations prepare for the GDPR?

While compliance is fact-specific, common foundational steps include:

  • Map your data — know what personal data you hold, where it comes from, where it goes, and why.
  • Establish a lawful basis for each processing activity and document it.
  • Maintain records of processing activities (Art. 30) where required.
  • Update privacy notices to meet the transparency requirements of Articles 13–14.
  • Build processes for data subject rights requests within statutory timeframes.
  • Implement security measures appropriate to the risk (Art. 32) and a breach response plan to meet the 72-hour notification rule (Art. 33).
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing (Art. 35).
  • Appoint a Data Protection Officer (DPO) where required (Art. 37), and put data processing agreements in place with processors (Art. 28).

Frequently asked questions

When did the GDPR come into effect?

The GDPR was adopted on 27 April 2016 and entered into force on 24 May 2016, but it became applicable and enforceable on 25 May 2018. That is the date organizations had to be compliant by.

What is the maximum GDPR fine?

Up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for the most serious infringements (Art. 83(5)). A lower tier caps at €10 million or 2% of turnover (Art. 83(4)).

Does the GDPR apply to companies outside the EU?

Yes. Under Article 3, the GDPR applies to non-EU organizations that offer goods or services to people in the EU/EEA, or monitor the behavior of people in the EU/EEA, even if the company has no physical presence in Europe.

What counts as personal data under the GDPR?

Any information relating to an identified or identifiable living individual — for example a name, ID number, location data, online identifier, or factors specific to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity. Sensitive ‘special category’ data has extra protections under Article 9.

How quickly must a data breach be reported under the GDPR?

Controllers must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach (Art. 33), unless the breach is unlikely to result in a risk to individuals. If it is likely to result in a high risk, affected individuals must also be informed (Art. 34).

What are the six lawful bases for processing personal data?

Under Article 6: consent, contract, legal obligation, vital interests, public task (official authority), and legitimate interests. At least one must apply to every processing activity, and the chosen basis should be identified and documented before processing begins.

Official sources