Skip to main content
> GDPR

General Data Protection Regulation

The European Union's comprehensive framework for personal data protection

Governing Body: European Data Protection Board (EDPB)
Established: 2016 (effective May 2018) Last Updated: 2018 (ongoing interpretive guidance) Scope: European Union / Global reach
€20M or 4%
Maximum Fine

// What is GDPR?

GDPR is the European Union's comprehensive data protection regulation, establishing rights for individuals regarding their personal data and obligations for organizations that collect, process, or store that data. The regulation applies not only to EU-based organizations but to any entity worldwide that processes personal data of EU residents.

The regulation fundamentally shifted the global privacy landscape, establishing data protection as a fundamental right and introducing concepts like privacy by design, data protection impact assessments, and mandatory breach notification. GDPR's extraterritorial reach means US companies serving EU customers must comply.

Enforcement has been substantial, with supervisory authorities across EU member states issuing billions in fines since 2018. Major technology companies have faced the largest penalties, but enforcement extends to organizations of all sizes.

// Inside the Regulation

GDPR establishes principles for lawful data processing, rights for data subjects, and specific obligations for data controllers and processors. Understanding these components is essential for compliance.

1

Data Processing Principles

Article 5

Seven fundamental principles governing all personal data processing activities.

Lawfulness, Fairness, Transparency

Processing must have a legal basis, be fair to data subjects, and be transparent about how data is used.

Purpose Limitation

Data collected for specified purposes cannot be processed in ways incompatible with those purposes.

Data Minimization

Only collect and process data that is adequate, relevant, and limited to what's necessary.

Accuracy

Personal data must be accurate and kept up to date; inaccurate data must be erased or rectified.

Storage Limitation

Data should be kept only as long as necessary for the purposes for which it was collected.

Integrity and Confidentiality

Process data securely, protecting against unauthorized access, loss, or destruction.

Accountability

Controllers must demonstrate compliance with all principles.

2

Lawful Bases for Processing

Article 6

Organizations must establish at least one lawful basis before processing personal data.

Consent

Freely given, specific, informed, and unambiguous indication of agreement. Must be as easy to withdraw as to give.

Contract

Processing necessary for performance of a contract with the data subject.

Legal Obligation

Processing necessary to comply with a legal obligation.

Vital Interests

Processing necessary to protect someone's life.

Public Task

Processing necessary for official functions or tasks in the public interest.

Legitimate Interests

Processing necessary for legitimate interests, balanced against data subject rights.

3

Data Subject Rights

Articles 12-23

GDPR grants individuals significant rights over their personal data that organizations must honor.

Right of Access

Individuals can request confirmation of processing and access to their personal data.

Right to Rectification

Individuals can request correction of inaccurate personal data.

Right to Erasure

The 'right to be forgotten'—individuals can request deletion under certain circumstances.

Right to Data Portability

Individuals can receive their data in a structured, machine-readable format.

Right to Object

Individuals can object to processing based on legitimate interests or for direct marketing.

4

Security and Breach Notification

Articles 32-34

Technical and organizational security measures, plus mandatory breach notification requirements.

Security of Processing

Implement appropriate technical and organizational measures: pseudonymization, encryption, confidentiality, resilience, recovery, and regular testing.

Breach Notification to Authority

Notify supervisory authority within 72 hours of becoming aware of a personal data breach, unless unlikely to result in risk.

Breach Notification to Individuals

Notify affected individuals without undue delay when breach is likely to result in high risk to their rights.

Note: GDPR's extraterritorial scope means US organizations processing EU resident data must comply. This includes any company offering goods/services to EU residents or monitoring their behavior, regardless of where the company is located.

// Who Must Comply

  • 1 Organizations established in the EU processing personal data
  • 2 Organizations outside EU offering goods/services to EU residents
  • 3 Organizations monitoring behavior of EU residents
  • 4 Data processors handling personal data on behalf of controllers
  • 5 Any organization with employees, customers, or contacts in the EU

// Key Requirements

Records of Processing

Maintain detailed records of processing activities including purposes, categories, recipients, and safeguards

Security Measures

Implement appropriate technical and organizational measures to ensure data security

Breach Notification

Notify supervisory authority within 72 hours of discovering a personal data breach

Data Protection Officer

Appoint a DPO for public authorities, large-scale monitoring, or special category data processing

Impact Assessments

Conduct DPIAs for high-risk processing activities before beginning processing

Privacy by Design

Integrate data protection into processing activities and business practices from the start

// Enforcement & Penalties

GDPR establishes a two-tiered penalty structure with some of the highest potential fines in data protection law. Supervisory authorities consider factors including nature of infringement, intentional character, mitigation measures, and prior violations.

Maximum Penalty

€20 million or 4% of global annual turnover (whichever is higher)

Examples:

  • Amazon - €746 million for targeted advertising violations (Luxembourg, 2021)
  • Meta/Facebook - €1.2 billion for EU-US data transfers (Ireland, 2023)
  • Google - €50 million for lack of transparency and valid consent (France, 2019)
  • H&M - €35 million for employee surveillance (Germany, 2020)

// Cyber Insurance Impact

Cyber insurers evaluate GDPR compliance for organizations with EU exposure. Policies increasingly include specific GDPR coverage for regulatory fines (where insurable), defense costs, and breach response expenses. Non-compliance can result in coverage exclusions or policy voidance for EU-related incidents.

// How Breach Craft Helps

We help organizations achieve GDPR compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of GDPR.

Gap Assessment

Measure your security against industry standards.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Tabletop Exercises

Practice your incident response.

Learn more

// Related Frameworks

CCPA/CPRA HIPAA ISO 27001

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873