What Is GDPR (General Data Protection Regulation)?

What Is GDPR?

The General Data Protection Regulation (GDPR) is a European Union data privacy law that controls how organizations collect, process, and protect the personal data of people in the EU and European Economic Area. It was enacted in April 2016 and took effect on May 25, 2018. Violations carry fines up to EUR 20 million or 4% of global annual revenue, whichever is higher.

GDPR replaced the 1995 Data Protection Directive. That directive was written before cloud computing, social media, and cross-border data flows transformed how organizations handle personal information. The older framework could not keep up. GDPR introduced a single, directly applicable legal framework across all EU member states, replacing the patchwork of national laws that had made compliance difficult for multinational organizations.

Independent supervisory authorities (also called data protection authorities, or DPAs) in each EU/EEA country handle enforcement. The European Data Protection Board (EDPB) coordinates across borders, issues guidelines, and steps in when national authorities disagree.

Who Does GDPR Apply To?

GDPR applies to any organization worldwide that offers goods or services to people in the EU/EEA or monitors their behavior within the EU. Where the organization is headquartered does not matter. A U.S. e-commerce company selling to European customers falls under GDPR just as a Berlin-based startup does.

The regulation splits responsibilities into two roles. A data controller decides the purposes and means of processing personal data (the “why” and “how”). A data processor handles personal data on behalf of the controller. Both carry distinct GDPR obligations, but the controller bears primary accountability.

Key GDPR Terminology

GDPR defines several terms that come up throughout the regulation:

• Personal data: Any information tied to an identified or identifiable person. Names, email addresses, IP addresses, location data, cookie identifiers, biometric data. The definition is intentionally broad. Even pseudonymized data counts as personal data under GDPR.
• Data subject: The person whose data is being processed.
• Processing: Any operation on personal data, from collection and storage to analysis, sharing, and deletion.
• Data Protection Officer (DPO): A person appointed to oversee GDPR compliance, required when an organization’s core activities involve large-scale monitoring of individuals or processing of special category data.
• Data Protection Impact Assessment (DPIA): A risk evaluation required under Article 35 before any processing activity that is likely to create high risk to individuals’ rights.

What Are the Seven Principles of GDPR?

Article 5 of GDPR lays out seven principles that sit beneath every data processing requirement. Every policy, technical control, and organizational measure traces back to at least one of them.

The accountability principle stands out. GDPR does not just require compliance — it requires proof of compliance. Organizations must keep detailed records of what personal data they process, where it flows, who accesses it, and what safeguards protect it. This documentation requirement under Article 30 effectively makes continuous visibility into data governance practices mandatory.

GDPR Data Subject Rights

GDPR gives individuals eight rights over their personal data, set out in Articles 12 through 22. These rights shift the balance of power from organizations back to the people whose data is being processed.

Right to Erasure and the Right to Be Forgotten

The right to erasure, often called the “right to be forgotten,” is one of GDPR’s most cited provisions. Data subjects can request deletion when their data is no longer needed for its original purpose, when they withdraw consent, or when processing was unlawful. The right has limits. Organizations can refuse erasure when processing is needed for legal compliance, public health, archiving in the public interest, or defending legal claims.

Right to Data Portability

Data portability lets individuals receive their personal data in a common, machine-readable format such as CSV or JSON. The right applies only to data provided by the data subject and processed based on consent or a contract. For security teams, portability requests mean knowing exactly which data belongs to which person and extracting it without exposing anyone else’s information. That task demands strong data classification practices.

How Does GDPR Enforcement Work?

Each EU/EEA member state has a supervisory authority that enforces GDPR within its borders. For cross-border cases, a “lead supervisory authority” mechanism picks one DPA to coordinate. The EDPB resolves disputes between national authorities and issues binding decisions when DPAs disagree.

Enforcement has picked up speed since GDPR’s early years. The GDPR Enforcement Tracker shows roughly EUR 6.8 billion in cumulative fines across 2,785 enforcement actions since May 2018. The pace is not slowing down. DLA Piper’s January 2026 GDPR survey reported 443 breach notifications per day across European DPAs, a 22% increase year over year.

GDPR Penalty Tiers

GDPR creates two tiers of administrative fines under Article 83:

The fine is whichever amount is greater: the fixed sum or the revenue percentage. For large technology companies, the revenue-based calculation routinely produces penalties in the hundreds of millions.

Notable GDPR Fines

Real enforcement actions show how DPAs apply the penalty framework. Meta received the largest single GDPR fine to date: EUR 1.2 billion from the Irish Data Protection Commission in May 2023 for unlawful transfers of EU user data to the United States. TikTok received a EUR 530 million penalty from Ireland’s DPC in May 2025 for illegally transferring EEA user data to China and failing transparency obligations. WhatsApp Ireland was fined EUR 225 million by Ireland’s DPC in September 2021 for transparency failures.

Cross-border data transfers keep coming up. Insufficient legal basis for processing remains the costliest violation category, accounting for roughly EUR 3 billion across 835 fines according to the Enforcement Tracker.

GDPR vs. CCPA and Other Privacy Laws

GDPR is not the only major data privacy regulation, but it sets the global benchmark. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most prominent U.S. equivalent. The U.K. kept GDPR in domestic law after Brexit as the UK GDPR, with some regulatory differences expected under the Data Use and Access Act.

The core difference comes down to the consent model. GDPR requires a lawful basis before any processing starts. Consent is one of six options, alongside contract performance, legal obligation, vital interests, public task, and legitimate interests. CCPA defaults to allowing processing and gives consumers the right to opt out afterward. For organizations operating globally, this distinction shapes everything from cookie banners to backend data architectures. Multinational security teams that build their data protection programs around GDPR, the strictest of the three, often find they satisfy CCPA and UK GDPR as well.

Knowing where sensitive data lives is the first step for any privacy program. The Practical Guide to Modern DSPM shows how modern data discovery closes visibility gaps across endpoints, cloud, and SaaS environments.

How Does GDPR Affect Data Security Programs?

GDPR’s requirements reach well beyond legal and compliance teams. Article 32 requires organizations to adopt “appropriate technical and organizational measures” to protect personal data, scaled to the risk. For information security teams, the regulation creates specific operational demands that touch data discovery, monitoring, access controls, and incident response.

Technical Controls for GDPR Compliance

Article 32 names pseudonymization and encryption as recommended measures. In practice, organizations deploy several overlapping controls:

• Data discovery and mapping: Article 30 requires Records of Processing Activities (RoPA) that document every data flow. Automating this through data lineage technology replaces manual spreadsheet exercises that go stale within weeks.
• Data loss prevention (DLP):DLP tools monitor and block unauthorized transfers of personal data across email, cloud storage, messaging apps, and removable media. This directly supports Article 5(1)(f) integrity and confidentiality requirements.
  
• Access management: Role-based and attribute-based access controls limit personal data access to authorized personnel, enforcing least privilege.
  
• Data security posture management (DSPM): Continuous discovery of personal data across cloud, SaaS, and endpoint environments helps security teams find unprotected data stores before they become regulatory liabilities.
  
• Encryption and pseudonymization: Encrypting personal data at rest and in transit limits the damage from breaches. Under Article 34(3)(a), organizations that encrypt breached data may skip individual notification if the encryption makes the data unreadable, though notification to the supervisory authority under Article 33 still applies.

GDPR Compliance Best Practices

Meeting GDPR requirements is not a one-time project for any organization. The regulation demands ongoing proof of compliance, regular risk assessments, and continuous monitoring of processing activities. Treating GDPR as a checklist rather than an operational discipline is a common mistake, and an expensive one.

1. Map personal data flows first. Before writing any policy, build a complete picture of what personal data the organization collects, where it lives, how it moves, and who touches it. Article 30’s RoPA requirement effectively mandates this exercise. The resulting data map becomes the foundation for every control that follows.
   
2. Document a lawful basis for each processing activity. Article 6 defines six lawful bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Each processing activity must be tied to one before data collection begins.
   
3. Run DPIAs for high-risk processing. Any processing likely to create high risk (large-scale profiling, systematic monitoring, or handling sensitive categories like health or biometric data) requires a documented impact assessment under Article 35.
   
4. Appoint a DPO when required. Organizations whose core activities involve regular, large-scale monitoring of data subjects, or large-scale processing of special category data, must designate a Data Protection Officer under Article 37.
   
5. Test breach response capabilities. The 72-hour window demands pre-built playbooks, clear escalation paths, and automated detection. Tabletop exercises that simulate breach scenarios reveal gaps before a real incident does.
6. Audit third-party processors. Article 28 requires formal data processing agreements with every vendor that handles personal data. Security teams should audit processors regularly and check that contractual safeguards hold up in practice.

Platforms such as Cyberhaven automate data flow mapping and enforce data loss prevention policies across endpoints and cloud services, giving security teams continuous visibility into where personal data lives and moves. That visibility is a prerequisite for demonstrating GDPR accountability.

As the EU AI Act layers new requirements on top of GDPR for organizations that process personal data through automated decision-making, the intersection of data privacy and AI governance is becoming a compliance priority. Organizations that build GDPR programs on continuous data visibility rather than periodic audits will be better positioned to absorb those evolving obligations.

Ready to build a data protection program? Explore our DLP Buyer’s Guide.

Frequently Asked Questions

What Does GDPR Stand For?

GDPR stands for General Data Protection Regulation. It is Regulation (EU) 2016/679 of the European Parliament and Council, adopted April 27, 2016, and enforced since May 25, 2018. GDPR replaced the 1995 Data Protection Directive and created a single, directly applicable data privacy framework across all EU and EEA member states.

How Does GDPR Apply to US Companies?

GDPR applies to any organization, regardless of location, that offers goods or services to people in the EU/EEA or monitors their behavior within the EU. A U.S. company with no physical presence in Europe still falls under GDPR if it targets European customers through its website, accepts euros, or tracks EU visitors with cookies and analytics. Non-compliance exposes U.S. organizations to the same fines as EU-based entities.

What Is the Maximum GDPR Fine?

The maximum fine is EUR 20 million or 4% of total worldwide annual revenue from the prior financial year, whichever is higher. The largest single fine to date is EUR 1.2 billion, levied against Meta by the Irish Data Protection Commission in May 2023 for unlawful EU-to-US data transfers. DPAs can also order processing bans, which are sometimes more disruptive than financial penalties.

What Is a Data Protection Officer Under GDPR?

A Data Protection Officer (DPO) is a person designated under Article 37 to oversee an organization’s data protection strategy and compliance. Appointing a DPO is mandatory when core activities involve regular, large-scale monitoring of data subjects, or large-scale processing of special category data such as health records or biometric identifiers. The DPO must operate independently and report directly to senior management.

How Does GDPR Differ From CCPA?

Both regulations aim to protect personal data, but the design is fundamentally different. GDPR requires a lawful basis — often consent — before processing begins. CCPA allows processing by default and gives consumers the right to opt out. GDPR covers all individuals in the EEA regardless of the organization’s size. CCPA applies only to businesses that meet minimum revenue or data-volume thresholds. Fines under GDPR scale to 4% of global revenue. CCPA penalties run $2,500 to $7,500 per violation.