Overview
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that took effect on May 25, 2018. It replaced the 1995 Data Protection Directive and established a single, unified framework for data protection across all EU member states. GDPR is widely regarded as the most influential privacy law in the world, and its principles have shaped data protection legislation on every continent.
GDPR is built on the premise that individuals have fundamental rights over their personal data. It places significant obligations on organizations that collect and process personal data, requiring transparency, accountability, and respect for individual autonomy.
Who Does It Apply To?
GDPR applies to:
- Any organization established in the EU that processes personal data, regardless of whether the processing takes place in the EU
- Any organization outside the EU that offers goods or services to individuals in the EU or monitors the behavior of individuals in the EU
- Both data controllers (organizations that determine the purposes and means of processing) and data processors (organizations that process data on behalf of controllers)
- Organizations of all sizes, though some obligations are scaled based on the nature and volume of processing
The extraterritorial reach of GDPR means that a company in any country can be subject to its requirements if it processes the personal data of EU residents.
Key Requirements
Lawful Basis for Processing
Every instance of personal data processing must be justified by one of six lawful bases:
- Consent: The individual has given clear, affirmative consent for a specific purpose
- Contract: Processing is necessary for the performance of a contract with the individual
- Legal obligation: Processing is required to comply with a legal obligation
- Vital interests: Processing is necessary to protect someone's life
- Public task: Processing is necessary for a task carried out in the public interest
- Legitimate interests: Processing is necessary for a legitimate interest that does not override the individual's rights
Transparency and Information
Organizations must provide clear, concise information about how they process personal data. This includes a privacy notice that explains the identity of the controller, the purposes of processing, the legal basis, data retention periods, and the individual's rights.
Data Protection by Design and Default
Organizations must integrate data protection measures into their systems and processes from the outset. Default settings must ensure that only personal data necessary for each specific purpose is processed.
Data Protection Impact Assessments
A DPIA is required before processing that is likely to result in a high risk to individuals' rights and freedoms. This includes large-scale processing of sensitive data, systematic monitoring, and automated decision-making with legal effects.
Data Protection Officer
Organizations must appoint a Data Protection Officer (DPO) when they are a public authority, carry out large-scale systematic monitoring, or process special categories of data on a large scale.
Breach Notification
Data breaches that pose a risk to individuals must be reported to the supervisory authority within 72 hours. If the breach is likely to result in a high risk to individuals, those individuals must also be notified without undue delay.
Cross-Border Data Transfers
Personal data may only be transferred outside the EU to countries that provide adequate protection, or where appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are in place.
Individual Rights
GDPR grants individuals eight fundamental rights:
- Right to be informed: Receive clear information about how personal data is processed
- Right of access: Obtain a copy of all personal data held, along with information about how it is processed
- Right to rectification: Have inaccurate personal data corrected and incomplete data completed
- Right to erasure: Request deletion of personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful
- Right to restrict processing: Limit how personal data is used while disputes about accuracy or lawfulness are resolved
- Right to data portability: Receive personal data in a structured, machine-readable format and transfer it to another controller
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes
- Right related to automated decision-making: Not be subject to decisions based solely on automated processing that produce legal or significant effects, and request human intervention
Enforcement and Penalties
GDPR enforcement is carried out by national supervisory authorities in each EU member state, coordinated through the European Data Protection Board (EDPB):
- Lower tier fines: Up to 10 million euros or 2% of annual global turnover for violations related to data processing records, breach notification, DPIAs, and DPO requirements
- Upper tier fines: Up to 20 million euros or 4% of annual global turnover for violations of processing principles, individual rights, and cross-border transfer rules
- Notable enforcement actions: Amazon received a 746 million euro fine from Luxembourg's authority, Meta has faced multiple fines exceeding 1 billion euros collectively, and Google has been fined over 150 million euros for consent violations
- Corrective powers: Supervisory authorities can issue warnings, reprimands, orders to comply, temporary or permanent processing bans, and orders to rectify or erase data
How Apidly Helps
Apidly provides end-to-end GDPR compliance tools:
- Lawful basis documentation helps you identify and record the appropriate legal basis for each processing activity across your organization
- Data subject rights management automates the handling of access, rectification, erasure, portability, and objection requests within GDPR's required timelines
- Consent management captures, stores, and manages consent records with full audit trails, supporting granular consent for different processing purposes
- Breach notification workflows guide you through the 72-hour reporting process to your supervisory authority and manage communications to affected individuals
- Cross-border transfer assessments evaluate transfer mechanisms and help you implement SCCs or other safeguards for international data flows
- DPIA templates and workflows streamline the impact assessment process for high-risk processing activities