GDPR (General Data Protection Regulation)
Home /
Glossary Index /
Alphabet G
GDPR Explained: What Every Organization Handling EU Data Must Know in 2025
Definition: The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that came into force on May 25, 2018. It establishes the rights of EU individuals with respect to their personal data and defines the obligations of organizations that collect, process, store, or transmit that data. GDPR applies to any organization worldwide that processes the personal data of EU or EEA residents, regardless of where the organization itself is based.
GDPR represents the most extensive and influential data protection framework in the world. It has shaped privacy legislation globally, directly influencing the California Consumer Privacy Act (CCPA), Brazil’s LGPD, India’s DPDP Act, and dozens of other national data protection laws.
Who Does GDPR Apply To?
GDPR applies to you if:
Your organization is established in the EU or EEA (European Economic Area), regardless of where data processing takes place. Your organization is established outside the EU but offers goods or services to EU residents. Your organization is established outside the EU but monitors the behavior of EU residents, including through tracking technologies like cookies or analytics.
Geographic location of the organization is irrelevant. What matters is whether you process personal data of EU residents. A US-based SaaS company with EU customers is subject to GDPR. A Japanese e-commerce platform selling to French consumers is subject to GDPR.
Key GDPR Definitions
- Personal Data: Any information that can identify a natural person directly or indirectly. This includes names, email addresses, IP addresses, phone numbers, biometric data, location data, and any combination of information that, when combined, identifies an individual.
- Data Subject: The natural person whose personal data is being processed. Your customers, employees, website visitors, and newsletter subscribers are all data subjects.
- Data Controller: The organization that determines the purposes and means of processing personal data. If you decide why and how to use your customers' data, you are the data controller.
- Data Processor: An organization that processes personal data on behalf of a data controller. Your cloud hosting provider, email marketing platform, or CRM vendor may be a data processor.
- Processing: Any operation performed on personal data, including collection, recording, storage, use, transfer, and deletion.
The Six Lawful Bases for Processing Personal Data
GDPR requires that every instance of personal data processing has a legitimate legal basis. Organizations must identify and document the applicable basis for each processing activity.
- Consent: The data subject has freely given, specific, informed, and unambiguous agreement to the processing. Consent must be actively granted (no pre-ticked boxes), and data subjects must be able to withdraw it at any time.
- Contract: Processing is necessary to perform a contract with the data subject, or to take pre-contractual steps at their request. Processing customer billing information to fulfill an order is processing on the basis of contract.
- Legal Obligation: Processing is necessary to comply with a legal obligation. Retaining employee payroll records to comply with tax law is processing on the basis of legal obligation.
- Vital Interests: Processing is necessary to protect someone's life. This is a narrow basis rarely applicable outside emergency healthcare scenarios.
- Public Task: Processing is necessary for a task carried out in the public interest or in the exercise of official authority. This basis primarily applies to public bodies.
- Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, unless those interests are overridden by the data subject's interests or rights. This is the most flexible basis but requires a documented balancing test to justify its use.
Individual Rights Under GDPR
GDPR grants EU residents a comprehensive set of rights regarding their personal data:
- Right of Access (Article 15): Individuals can request confirmation of whether their data is being processed and access a copy of that data.
- Right to Rectification (Article 16): Individuals can request correction of inaccurate or incomplete personal data.
- Right to Erasure (Article 17): Also called the "right to be forgotten." Individuals can request deletion of their personal data under certain conditions.
- Right to Restrict Processing (Article 18): Individuals can request that processing of their data be restricted in certain circumstances.
- Right to Data Portability (Article 20): Individuals can request their data in a structured, machine-readable format and have it transferred to another controller.
- Right to Object (Article 21): Individuals can object to processing based on legitimate interests, direct marketing, or scientific research.
- Rights Related to Automated Decision-Making (Article 22): Individuals have the right not to be subject to solely automated decisions that produce significant effects, including profiling.
Organizations must respond to data subject requests within one month and must have processes in place to fulfill these rights across all systems where personal data is held.
GDPR Obligations for Organizations
- Data Protection by Design and Default (Article 25) Privacy must be built into systems and processes from the outset, not added as an afterthought. Default settings must provide the highest level of privacy protection automatically.
- Data Protection Officer (Article 37) Certain organizations must appoint a Data Protection Officer (DPO): public bodies, organizations that systematically process personal data at large scale, and organizations that process special categories of data as a core activity.
- Data Protection Impact Assessments (DPIA) (Article 35) Before implementing processing activities likely to result in high risk to individuals (such as large-scale profiling or systematic monitoring), organizations must conduct a formal risk assessment.
- Breach Notification (Articles 33 and 34) Personal data breaches must be reported to the relevant supervisory authority within 72 hours of becoming aware of them. If the breach is likely to result in high risk to individuals, those individuals must also be notified directly.
- Records of Processing Activities (Article 30) Organizations must maintain documentation of all processing activities, including purposes, data categories, retention periods, and security measures.
- International Data Transfers (Chapter V) Transferring personal data outside the EU or EEA requires additional safeguards. Approved mechanisms include adequacy decisions, Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs).
GDPR Penalties
GDPR’s penalty structure has two tiers:
- Tier 1 (Lower severity violations): Fines of up to €10 million or 2% of global annual turnover, whichever is higher.
- Tier 2 (Higher severity violations): Fines of up to €20 million or 4% of global annual turnover, whichever is higher. Tier 2 applies to violations of core GDPR principles, consent requirements, data subject rights, and international transfer rules.
Fines issued under GDPR have grown substantially since the regulation came into force. Meta received a €1.2 billion fine from Ireland’s Data Protection Commission in 2023 for unlawful transfers of EU user data to the United States. Amazon was fined €746 million by Luxembourg’s data protection authority. These figures establish the concrete financial risk of GDPR non-compliance at scale.
GDPR and Cybersecurity
GDPR has direct implications for your cybersecurity program. Article 32 requires organizations to implement “appropriate technical and organizational measures” to ensure security appropriate to the risk, including encryption of personal data, measures to ensure ongoing confidentiality and integrity, the ability to restore availability after incidents, and regular testing of security measures.
This means your encryption practices, access controls, DLP program, endpoint security posture, and incident response capabilities are all GDPR compliance requirements, not just security best practices.
Frequently Asked Questions About GDPR
GDPR applies to natural persons, not companies. However, most B2B contact data (the name and email address of a contact at a client company) qualifies as personal data because it identifies an individual. B2B organizations that maintain contact databases of individual employees at client or prospect companies are subject to GDPR requirements for that data.
GDPR is an EU regulation with broad applicability and strong individual rights. CCPA (California Consumer Privacy Act) is a California state law with somewhat narrower scope. Both give individuals rights over their personal data and impose obligations on organizations, but they differ in their thresholds for applicability, specific rights granted, opt-out vs. opt-in requirements for data sales, and enforcement mechanisms. Organizations operating globally typically design their privacy programs to satisfy GDPR as the baseline, since GDPR is generally more stringent.
If your organization collects personal data of EU residents, GDPR applies regardless of your size. The regulation does make some accommodations for smaller organizations (companies with fewer than 250 employees are exempt from some record-keeping requirements unless they process high-risk data regularly), but core obligations including lawful bases for processing, data subject rights, and breach notification apply to all organizations that process EU personal data.
