GDPR

What Is GDPR?

GDPR is a European Union regulation that governs how organizations collect, store, process, and share personal data belonging to people in the EU. It took effect on May 25, 2018, replacing the older Data Protection Directive, and it raised the stakes dramatically: companies that violate GDPR face fines of up to 4% of annual global revenue or 20 million euros, whichever is higher.

The regulation applies to any organization that processes personal data of EU residents, regardless of where that organization is based. A SaaS company in San Francisco with European customers? GDPR applies. A mobile app available in EU app stores? GDPR applies. A US employer with staff in Germany? GDPR applies to that employee data too.

This extraterritorial reach is what makes GDPR different from most other privacy laws. You can't avoid it by not having offices in Europe.

Key Concepts You Need to Understand

Personal data under GDPR is defined broadly. It's any information that can identify a person, directly or indirectly. Names, email addresses, IP addresses, cookie IDs, location data, even online behavior patterns. If you can link it to a person, it's personal data.

Data controllers decide why and how personal data is processed. If you collect customer data for your own purposes, you're a controller.

Data processors handle data on behalf of a controller. Your email service provider, cloud hosting company, or analytics vendor are processors.

Data subjects are the people whose data is being processed. They have specific rights under GDPR (more on that below).

The controller-processor distinction matters because your obligations differ depending on which role you play, and you might be both for different data sets.

The Core Principles

GDPR is built on seven principles that guide everything else:

1. Lawfulness, fairness, and transparency. You need a legal basis for processing data, and you must be upfront about what you're doing with it.
2. Purpose limitation. Collect data for a specific, stated purpose. Don't repurpose it later for something the person wouldn't expect.
3. Data minimization. Only collect what you actually need. No hoarding "just in case."
4. Accuracy. Keep data up to date. Give people ways to correct errors.
5. Storage limitation. Don't keep data longer than necessary. Define retention periods and stick to them.
6. Integrity and confidentiality. Protect data with appropriate security measures.
7. Accountability. You must be able to demonstrate compliance, not just claim it.

Data Subject Rights

GDPR gives individuals specific rights over their data. Organizations must be able to respond to these requests, typically within 30 days:

• Right of access. People can request a copy of all personal data you hold about them.
• Right to rectification. They can ask you to correct inaccurate data.
• Right to erasure ("right to be forgotten"). They can request deletion of their data in certain circumstances.
• Right to restrict processing. They can ask you to stop using their data while a complaint is being resolved.
• Right to data portability. They can request their data in a machine-readable format to transfer to another service.
• Right to object. They can object to processing based on legitimate interests, including direct marketing.
• Rights related to automated decision-making. They can request human review of decisions made solely by algorithms.

Handling these requests at scale is one of the biggest operational challenges of GDPR compliance. A single "right to erasure" request might require deleting data across 15 different systems, backups included.

Legal Bases for Processing

You can't process personal data without a legal basis. GDPR provides six:

• Consent. The person explicitly agreed. Must be freely given, specific, informed, and revocable. Pre-checked boxes don't count.
• Contract. Processing is necessary to fulfill a contract with the person (e.g., shipping an order).
• Legal obligation. You're required by law to process the data (e.g., tax reporting).
• Vital interests. Processing is needed to protect someone's life. Rarely applicable in business contexts.
• Public task. Processing is necessary for a task in the public interest. Mainly relevant to government bodies.
• Legitimate interests. You have a legitimate business reason, and it doesn't override the person's privacy rights. This is the most flexible basis, but also the most contested. You need to document a Legitimate Interest Assessment.

Most companies rely on consent (for marketing), contract (for service delivery), and legitimate interests (for analytics, fraud prevention, security). Getting the legal basis wrong is a common and expensive mistake.

What Compliance Looks Like in Practice

Data mapping. Before anything else, you need to know what personal data you collect, where it lives, how it flows, who accesses it, and how long you keep it. This exercise is called a Record of Processing Activities (ROPA) and it's mandatory under Article 30 for most organizations.

Privacy notices. Your privacy policy needs to be clear, specific, and actually readable. It must explain what data you collect, why, how long you keep it, who you share it with, and how people can exercise their rights. Generic copy-paste privacy policies are a red flag.

Consent management. If you rely on consent as your legal basis, you need mechanisms to collect, record, and manage it. Cookie consent banners are the most visible example, but consent management extends to email marketing, data sharing with partners, and more.

Data Processing Agreements (DPAs). Every processor you share data with needs a DPA in place. This is GDPR's equivalent of HIPAA's BAA. It must define the scope of processing, security obligations, sub-processor approval rights, and breach notification requirements.

Data Protection Impact Assessments (DPIAs). Required for processing that's likely to result in high risk to individuals. Examples: large-scale profiling, systematic monitoring of public areas, processing sensitive data at scale.

Appointing a DPO. A Data Protection Officer is required if you're a public body, if your core activities involve large-scale monitoring of individuals, or if you process sensitive data at scale. Even when not required, many companies appoint one voluntarily.

Breach notification. You must notify your supervisory authority within 72 hours of becoming aware of a breach affecting personal data. If the breach poses high risk to individuals, you must also notify them directly.

Cross-Border Data Transfers

Transferring personal data outside the EU requires a legal mechanism. The options:

• Adequacy decisions. The EU has recognized certain countries as providing adequate data protection (UK, Japan, South Korea, Canada for commercial data, and as of July 2023, the US under the EU-US Data Privacy Framework).
• Standard Contractual Clauses (SCCs). Pre-approved contract templates for transfers to non-adequate countries.
• Binding Corporate Rules (BCRs). Internal policies for multinational companies transferring data within their corporate group.

The EU-US data transfer situation has been turbulent. The Safe Harbor agreement was struck down in 2015, Privacy Shield was invalidated in 2020, and the current Data Privacy Framework faces ongoing legal challenges. Companies transferring EU data to the US should have backup mechanisms in place.

Enforcement and Fines

GDPR fines have been substantial. Some notable ones:

• Amazon: 746 million euros (Luxembourg, 2021)
• Meta/Instagram: 405 million euros (Ireland, 2022)
• Meta/Facebook: 1.2 billion euros (Ireland, 2023) for US data transfers
• TikTok: 345 million euros (Ireland, 2023) for children's data processing

Smaller fines happen frequently too. In 2024, European data protection authorities collectively issued over 2 billion euros in fines. The trend is toward larger penalties and more aggressive enforcement.

What It Costs

GDPR compliance costs depend heavily on your data footprint and organizational complexity:

• Small SaaS company (under 50 employees): $10,000-$30,000 for initial compliance setup
• Mid-size company: $30,000-$100,000
• Enterprise or high-data-volume organizations: $100,000-$500,000+
• Ongoing annual costs: $10,000-$50,000 (DPO salary or outsourced DPO, tool subscriptions, legal reviews, training)

The biggest expense for most companies isn't the tools or consulting. It's the internal effort to map data flows, update processes, retrain staff, and build infrastructure for handling data subject requests.

How Compliance Tools Help

Compliance automation platforms help with GDPR in several ways: mapping data flows across your infrastructure, managing consent records, tracking processing activities, automating data subject request workflows, and maintaining evidence for accountability requirements.

They won't write your privacy policy or make legal judgments about your basis for processing. But they handle the operational burden of continuous compliance: monitoring data practices, flagging new data stores that appear in your infrastructure, and keeping your ROPA current as your systems evolve. All 17 tools in our database support GDPR.

Common Mistakes

Cookie consent theater. Implementing a cookie banner that doesn't actually block cookies until consent is given. Many banners are purely decorative, which regulators have caught on to. France's CNIL has fined multiple companies specifically for non-functional consent mechanisms.

Using consent when you should use legitimate interests (or vice versa). Consent must be revocable, which creates operational headaches. If legitimate interests is a valid basis for your processing, it's often the better choice. But you need to document the assessment properly.

Ignoring processor obligations. Even if you're "just" a processor, GDPR imposes direct obligations on you: security measures, breach notification, maintaining processing records, cooperating with supervisory authorities. Processors can and do get fined.

No plan for data subject requests. When someone exercises their right to erasure or access, you need to respond within 30 days. Without a system for finding and deleting data across all your systems, this becomes a fire drill every time.

Treating GDPR as a one-time project. Data flows change as you add tools, partners, and features. New processing activities need new legal bases and updated records. Compliance requires ongoing attention, not just an initial setup.