Knowledge Train

20 Jun 2025

What is GDPR?

The General Data Protection Regulation (GDPR) is the leading data protection law in the European Union, establishing standards for personal data processing. This guide explains GDPR’s principles, individual rights, organisational responsibilities, penalties, and compliance tips.

What is GDPR?

Introduction to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation, commonly known as GDPR, is an EU-wide legal framework for privacy and data protection. Enforced from 25 May 2018, GDPR was adopted by the European Parliament and the Council of the European Union. It governs the handling of personal data relating to individuals (data subjects) in the European Economic Area (EEA) and impacts organisations both within and outside the EU through its extraterritorial reach.

Historical Context and Scope

GDPR replaced the EU Data Protection Directive (Directive 95/46/EC) and was designed to harmonise data privacy laws across Europe. Its provisions apply to data controllers and data processors that handle EEA residents’ personal data, regardless of where the organisation is established. The legislation aims to protect fundamental rights and freedoms, particularly the right to privacy.

Adoption Date	Enforcement Date	Jurisdiction
14 April 2016	25 May 2018	European Union / International Implications

Key GDPR Principles

GDPR sets out essential principles for data processing, guiding organisations on how to lawfully handle personal data:

Lawfulness, fairness, transparency: Processing must have a legal basis, be transparent, and fair to individuals.
Purpose limitation: Data must be collected for specified, explicit purposes and not processed further in ways incompatible with those purposes.
Data minimisation: Only data that is adequate, relevant and limited to what’s necessary should be collected.
Accuracy: Organisations must ensure data is accurate and kept up to date.
Storage limitation: Data should be kept in a form which permits identification for no longer than necessary.
Integrity and confidentiality: Data must be processed securely to protect against unauthorised access, loss or damage.
Accountability: Data controllers are responsible for demonstrating compliance with all these principles.

Individual Rights Under GDPR

GDPR empowers individuals (data subjects) with distinct rights regarding their personal data. These rights are:

Right	Description
Right to access	Individuals can obtain confirmation and a copy of their personal data being processed.
Right to rectification	Allows correction of inaccurate or incomplete data.
Right to erasure (right to be forgotten)	Enables data subjects to have their data deleted under certain conditions.
Right to restrict processing	Processing can be restricted in certain circumstances.
Right to data portability	Permits individuals to obtain and reuse their data across different services.
Right to object	Individuals can object to data processing based on specific grounds.
Rights in relation to automated decision-making	Safeguards with respect to automated processing and profiling.

Organisational Obligations and Requirements

Organisations must comply with a range of duties under GDPR, including:

Lawful Basis for Processing: Identify and document an appropriate legal basis for processing personal data, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Obtaining valid consent: Where relied upon, consent must be freely given, specific, informed, and unambiguous.
Appointment of a Data Protection Officer (DPO): Public authorities and certain organisations conducting large-scale systematic monitoring or processing of sensitive data must appoint a DPO.
Data breach notification: Notifying the relevant supervisory authority within 72 hours of becoming aware of a data breach, and informing data subjects where required.
Documentation and record-keeping: Maintain records of processing activities as evidence of compliance.
Privacy by design and by default: Integrate data protection into business processes and systems from the outset.
Transparency and privacy policy: Clearly inform individuals about data practices via concise, accessible privacy policies.

Penalties and Enforcement

Supervisory authorities across the EU, such as national data protection regulators, are responsible for GDPR enforcement. Non-compliance can result in significant administrative fines:

Type of Breach	Maximum Penalty
Standard breaches	Up to EUR 10 million or 2% of annual global turnover (whichever is higher)
Severe breaches	Up to EUR 20 million or 4% of annual global turnover (whichever is higher)

In addition to fines, organisations may face legal actions, reputational damage, and mandatory changes to data processing practices. Examples of enforcement include penalties for insufficient consent mechanisms and failing to report breaches on time.

Checklist: Steps for GDPR Compliance

Identify if GDPR applies to your organisation’s personal data processing activities.
Ensure a clear lawful basis exists for each processing activity.
Update privacy policies to reflect GDPR requirements.
Review consent mechanisms for clarity and observability.
Appoint a Data Protection Officer if required.
Maintain up-to-date records of processing activities (Article 30 records).
Implement ‘privacy by design and by default’ into your systems and processes.
Prepare protocols for data breach detection, reporting, and investigation.
Train staff on GDPR requirements and data handling best practices.
Assess cross-border data transfers and ensure appropriate safeguards are in place when transferring data to a third country.

Commonly Used GDPR Abbreviations

Abbreviation	Meaning
GDPR	General Data Protection Regulation
DPO	Data Protection Officer
EEA	European Economic Area
EU	European Union
UK GDPR	UK’s version of the GDPR post-Brexit

Global Reach and International Implications

GDPR’s extraterritorial provisions mean that organisations outside the EU must comply if they offer goods or services to EEA residents or monitor their behaviour. Special rules apply to international data transfers to countries outside the EEA (third countries), including use of standard contractual clauses or adequacy decisions by the European Commission.

The UK GDPR mirrors the EU GDPR but is tailored to the domestic context post-Brexit. Organisations may need to comply with both UK and EU regulations if operating across these jurisdictions.

Further Reading and Authoritative Resources

FAQs

Who does GDPR apply to?

GDPR applies to any organisation processing the personal data of individuals (data subjects) within the European Economic Area, regardless of where the organisation is established. It also covers data controllers and data processors outside the EEA if they offer goods or services to EEA residents or monitor their behaviour.

What are the main penalties for non-compliance with GDPR?

Penalties for non-compliance can reach up to EUR 20 million or 4 percent of annual global turnover, whichever is higher. Lower tier breaches incur up to EUR 10 million or 2 percent of turnover. Authorities may also impose corrective measures or require operational changes.

What types of data does GDPR protect?

GDPR protects ‘personal data’ — any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and factors specific to an individual’s identity.

What must organisations do in the event of a data breach?

Organisations must assess the breach, notify the relevant regulatory authority within 72 hours if there’s a risk to the rights and freedoms of individuals, and inform affected data subjects without undue delay when required. Detailed records of the breach must be maintained.

What is the difference between a data controller and a data processor?

A data controller determines the purposes and means of processing personal data, whereas a data processor acts on behalf of, and only under the instructions of, the data controller.

How can organisations demonstrate GDPR compliance?

By implementing appropriate technical and organisational measures, maintaining documentation, training staff, performing data protection impact assessments, and cooperating with supervisory authorities when required.

How does GDPR affect organisations outside the EU?

Organisations outside the EU must comply with GDPR if they process EEA residents’ personal data for offering goods or services, or for monitoring behaviour. This often requires appointing an EU representative and meeting cross-border data transfer requirements.

You might like this too.

01 -

The best way to prepare and pass your ITIL Foundation exam

How to pass your ITIL Foundation exam

Simon Buehring

16 May 2023

Prepare for your ITIL Foundation exam with these top tips and a helpful infographic. Read on to boost your chances of success.

What is DevOps?

Knowledge Train

20 Jun 2025

DevOps is a collaborative approach that unifies software development and IT operations to accelerate delivery and improve quality. This guide explores the DevOps methodology, lifecycle, tools, and benefits.

Cyber Security Awareness in Organisations

Cyber Security Awareness in Organisations

Simon Buehring

16 May 2023

Cyber security awareness encompasses not only knowledge but also the crucial attitudes and behaviours needed to safeguard information assets. Read on to enhance your strategies and secure your data effectively.

October is cyber security awareness month

October is cyber security awareness month

Simon Buehring

16 May 2023

Learn about the origins of Cyber Security Awareness Month and its global significance. Discover more about the initiative by scrolling down.

DevOps careers: Free ebook

DevOps careers: Free ebook

Simon Buehring

16 May 2023

DevOps is shaping modern IT careers. Download our free ebook to understand DevOps job roles, qualifications, and salary expectations.

What is cyber security?

What is cyber security?

Simon Buehring

16 May 2023

Explore the essentials of cyber security, its importance, and the tools you need for a career in this field. Scroll down to learn more.

ITIL v3 certification

ITIL v3 certification

Simon Buehring

16 May 2023

Learn about ITIL v3 and its updates over the years. Understand its continued relevance in IT service management by reading further.

What is ITIL®: Free ebook

What is ITIL?

Simon Buehring

17 May 2023

New to ITIL? This article explains the framework and certification levels, with a free ebook to get you started. Read on for your complete guide.

What is ITIL? Definition, Framework, and Principles

Knowledge Train

20 Jun 2025

ITIL is the globally recognised framework for IT service management, guiding organisations in delivering high-quality IT services aligned with business goals. Discover ITIL's principles, updated practices, and how it shapes modern ITSM.

DevOps certification roadmap

DevOps certification roadmap

Simon Buehring

16 May 2023

Explore the DevOps certification roadmap and how it can help in career advancement. Read on to understand the qualifications offered by the DevOps Institute.

This website use cookies.