What is GDPR?

The General Data Protection Regulation, or GDPR, is the European privacy law legislation that protects the personal information of people in the European Union

Enacted in 2018, the GDPR comprises several key pillars designed to protect consumers. Although these data privacy regulations are specifically for EU citizens, they apply to any business that interacts with consumers in the EU. For companies in the U.S. and other parts of the world that conduct business in Europe, the GDPR European privacy laws remain essential.

What is GDPR?

The GDPR is a comprehensive set of data protection laws designed to safeguard the personal information of EU citizens. This European privacy law applies to any company that does business in Europe.

The GDPR includes seven key pillars that companies must comply with to be compliant. Some of these standards include only requiring information necessary for a specific purpose, being transparent about how the information will be used, and providing consumers with the ability to withdraw their consent.

Under the GDPR, personal data is defined as any information related to a natural person that could identify that person. This could include names, addresses, payment information, IP addresses, biometric data, and more.

Who needs to comply with GDPR?

Even if your business isn’t based in a European country, the GDPR may still apply to you. The regulations protect consumers in the EU, so if you’re a company based in the U.S. with European customers, you must comply with GDPR standards. Unlike the California Consumer Privacy Act (CCPA), the size of a company also does not matter with the GDPR. Companies of all sizes must comply.

What are GDPR regulations?

GDPR regulations are shaped around seven compliance principles that help protect consumers' personal data. GDPR requires that businesses protect consumer data throughout every interaction with consumers. 

Companies are required to protect data “by design and by default,” which means data protection principles are integrated throughout all processes. Essentially, protecting your consumers’ data should be a top priority.

7 GDPR compliance principles

The GDPR data protection law is based on seven principles to protect consumers' personal data. The GDPR principles outline how consumers should opt in to data collection, how processing of personal data should occur, how that data should be used, and what should be done in case of a breach. 

Here are the principles and their implications for companies seeking to comply with GDPR.

1. Lawfulness, fairness, and transparency: Consumers should understand what data they’re providing, how the company will use it, and how it is protected.
2. Purpose limitation: Companies should only collect data that will be used for a specific purpose.
3. Data minimization: Consumers should not be required to provide more information than necessary for a specific purpose.
4. Accuracy: Data collected should be accurate and kept up to date.
5. Storage limitation: Consumer data should be retained only for as long as necessary.
6. Integrity and confidentiality: Companies should work diligently to protect any data they collect.
7. Accountability: Each company should have documentation on data protection practices.

The last principle is usually the most troublesome, as Claudio Klaus, a Brazilian-trained lawyer and legal researcher, explains: “Accountability is the hardest to implement in practice. Many businesses don’t fully document their decisions or create strong governance structures. Others struggle with data minimization — collecting more than necessary ‘just in case.’”

Toby Basalla, a privacy consultant, echoes this sentiment with a practical twist: “Accountability is the most skipped GDPR principle. Teams assume someone else is handling documentation, but nobody wants to actually own the records. What works better is assigning names to rules. If Alice owns data minimization, and Bob owns retention policy, then when things go sideways, you know exactly where the buck stops.”

GDPR rules about processing personal data

One of the main tenets of GDPR is the regulation of when and how personal data is processed. Not only does the GDPR hold companies to a higher standard when collecting consumer data, but it also requires companies to have a written agreement with any third party that may have access to the collected data.

Article 28 of the GDPR outlines the need for a data processing agreement:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor about the controller and that sets out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”[1]

The GDPR and the UK's Data Protection Act both include regulations around data profiling. For profiling used to make automated decisions with potential legal consequences for the consumer, such as loan approval, there must be a legal basis, it must be required to create an agreement, and the consumer must give explicit consent.

For profiling used for marketing purposes, such as personalized ads, businesses must obtain permission from the consumer or demonstrate a "justified interest."

Not only does the GDPR stipulate how third parties use consumer data, but it also requires companies to restrict their data collection to only the information necessary for the task at hand. If your contact form requests more information than necessary, you may be in violation of the GDPR.

How does the GDPR differ from the ePrivacy Directive?

The GDPR differs from the EU’s 2002 ePrivacy Directive (i.e., the Privacy and Electronic Communications Directive 2002/58/EC) in that the GDPR provides broader protections. In contrast, the forerunner directive focuses on electronic communications. This “cookie law” also regulates the monitoring and tracking of cookies in relation to electronic communications.

A new ePrivacy Regulation is set to replace the ePrivacy Directive, with updates extending protections to all electronic communications, including texts and messaging apps like Facebook Messenger. The European Commission (EC), European Parliament, and European Council have not yet reached a consensus on the new directive. If greenlit, the more modernized ePrivacy Regulation can work in tandem with the GDPR to offer stronger data privacy protections.

Klaus points out that many companies confuse GDPR with other EU privacy rules: “Many companies wrongly assume GDPR and the ePrivacy Directive are interchangeable. The ePrivacy Directive governs electronic communications specifically, such as cookies, and can apply even when personal data isn’t involved. GDPR, on the other hand, kicks in when personal data is being processed. The overlap causes confusion — especially for non-EU businesses targeting European users.”

Basalla elaborates on why this misconception matters: “Most businesses don’t realize ePrivacy sets the bar even higher for cookies. People assume GDPR covers all the bases. False. GDPR handles the data once collected. ePrivacy governs the access part. This means if you store or retrieve any user data like a tracking pixel or session ID, you need consent before you even get to GDPR. That split is where most teams get it wrong, especially U.S.-based companies with EU traffic.”

GDPR rules about consent

The GDPR emphasized the need for companies to obtain consent from consumers regarding the use of their data. This shift has especially impacted how businesses handle cookie tracking and online advertising.

The GDPR outlines a few key parts of consent that must be achieved to comply, including:

• Consent must be freely given. To be in compliance, users must provide their consent for you to use their data. This consent must be freely given; in other words, you can’t pressure them into opting in.
• Consent must be specific. When requesting consent to use data, companies should be specific about what data is needed and how it will be used.
• Consent must be informed. Consumers should easily understand who you are, why you need the data, and how the data will be used.
• Consent must be unambiguous. Consent should be actively given. Users should check a box or opt in. It cannot be pre-checked for them.
• Consent can be revoked. Users on your website must also be able to withdraw their consent at any time.

Klaus and Basalla weigh in on how the interpretation of "legitimate interest" as a legal basis for processing personal data has evolved since the GDPR's implementation in 2018, particularly in relation to cookie consent. According to Klaus, “Since 2018, courts and data protection authorities have narrowed how businesses can use ‘legitimate interest’ to justify personal data processing. Regulators often expect businesses to use ‘consent’ instead — especially for marketing and behavioral tracking. The shift has pushed companies to rework their cookie banners and consent flows to ensure clearer opt-ins.”

Basalla is more blunt: “Companies slapped [legitimate interest] on everything post-2018, thinking it would magically cover them. But consent has a very specific structure under GDPR, and if you are dropping cookies for analytics or marketing without an opt-in, that is usually not going to fly even if you bury it in a 4,000-word privacy policy. A lot of this confusion comes from teams thinking ‘legitimate interest’ means ‘business interest.’ It does not.”

Do you need a Data Protection Officer?

For some companies, a Data Protection Officer (DPO) helps maintain GDPR compliance and ensures that all collected data is handled properly. The DPO helps implement GDPR best practices and trains employees on how to handle data correctly, and can be a member of the data controller or data processor team.

The GDPR outlines other priorities of a DPO, including:

• “Training organization employees on GDPR compliance requirements
• Conducting regular assessments and audits to ensure GDPR compliance
• Serving as the point of contact between the company and the relevant supervisory authority
• Maintaining records of all data processing activities conducted by the company
• Responding to data subjects to inform them about how their personal data is being used and what measures the company has put in place to protect their data
• Ensuring that data subjects’ requests to see copies of their personal data or to have their personal data erased are fulfilled or responded to, as necessary.”[2]

What are my GDPR rights?

The GDPR gives consumers more information from companies about how their data is being used and protected. Here are some other ways the GDPR gives consumers greater rights in personal data protection:

• Gives consumers the ability to opt out at any time
• Gives consumers the right to data portability, or the right to store data for their personal use, or send it to another data controller
• Gives consumers the chance to request that data inaccuracies be corrected through the right to rectification
• Requires companies to protect your data
• Companies must have a specific purpose for using their data
• Companies must notify you of data breaches within a specific amount of time

One of the greatest benefits of the GDPR for consumers is that it establishes a governing body responsible for protecting consumer data. Every country uses a Data Protection Authority (DPA), which investigates GDPR infractions and levies fines. By having DPAs, the GDPR ensures that strict consumer protections are enforced.

What happens if you violate European data privacy laws?

Violations of the GDPR can result in hefty fines. GDPR violations and the associated fines are categorized into two tiers based on the severity of the infraction. 

The lower tier can incur fines of up to 10 million euros ($10.5 million) or 2% of the previous year's revenue, whichever is greater. For higher infractions, fines can be up to 20 million euros ($21 million) or 4% of the company's revenue from the previous year.

In 2024, European data protection authorities issued fines of over 1.2 billion euros (over $1.3 billion) under the GDPR.[3] You can track all the GDPR fines with the GDPR Enforcement Tracker.

However, it's essential to note that GDPR enforcement priorities are evolving in tandem with the tech landscape. Klaus warns: “Expect stricter enforcement on AI tools, cross-border data transfers, and children’s data,” warns Klaus. “The upcoming EU AI Act will also likely influence how personal data can be used in automated decision-making. Businesses should review data flows, update vendor contracts, and check whether their tools use AI in ways that impact privacy.”

Basalla underscores why businesses need to be adaptable: “When data usage shifts, you need to reintroduce the conversation. Let’s say you collected emails for receipts, but now want to send marketing — get new consent. That applies to AI models too. If you train on data for one use case, and then shift to another, you need to get new approval. Otherwise, it is a fast path to penalties.”

How to comply with the General Data Protection Regulation

If you’re doing business with customers in the European Union, you must comply with the GDPR and its seven key principles. To comply with GDPR, it may be helpful to examine GDPR compliance in three key areas: consumer interaction, employee training and security, and procedures for handling a breach.

Consumer interaction

You need to ensure that you're communicating with consumers about the data you’re collecting. Consumers must opt in to share their data with you, and as a company, you must inform customers how their data will be used.

For instance, when opting in for a mailing list, consumers should be informed that their information will be used to send monthly newsletters with company news and updates.

One of the most noticeable changes following the enactment of the GDPR is how companies use cookies. The GDPR considers cookies as part of one’s personal data, so cookie data must also be protected by GDPR standards. To help with GDPR compliance, you need a cookie policy in place.

But consent is evolving and not one-and-done. Consumers must be allowed to withdraw or change consent, and companies are required to make this process easy. Klaus explains: “Consent isn’t a one-time box to tick. If a business wants to use data for a new purpose, it must get fresh, informed consent.”

Basalla adds that simply updating a privacy policy isn’t enough: “If the original purpose changes, consent needs to be collected again. Most systems break down here. They track product changes, but not consent context — and that’s exactly what regulators look for.”

Employee training and cybersecurity

Your employees play a crucial role in ensuring your compliance with the GDPR. You should work to train employees so that they understand the GDPR principles, as well as how their roles impact the company’s GDPR compliance. It is also essential that any employee with access to personal consumer information understands how to maintain the security of that data and what to do in the event of a breach. To ensure data is secure, you can require that employees use two-factor authentication and that company data is encrypted.

Sectors that struggle most with compliance

Some industries face unique challenges in implementing GDPR standards. When asked whether particular industries or sectors struggle more than others with compliance, Klaus and Basalla both pinpointed the advertising industry, among others. “Startups and fast-growing tech companies often struggle, simply because compliance isn’t built in from the start,” says Klaus. “The ad tech sector also faces major hurdles due to its complex data-sharing chains.”

Basalla names the top three: “Advertising, SaaS, and healthcare. Ads because they live off cookies. SaaS because they scale fast without compliance muscle. Healthcare because they collect sensitive data, which triggers even stricter rules.”

What to do if there is a breach

To ensure compliance with GDPR, you must also be prepared for a potential data breach. Does your company have a designated person responsible for leading efforts in the event of a data breach? Do you have a plan in place for notifying consumers, investors, and the government in the event of a data breach?

In the case of a breach, the GDPR stipulates that:

• The Data Protection Authority (DPA) is notified within 72 hours. (The DPA is a public authority that supervises and investigates data protection laws in the EU. A full list of each country’s DPA is available here.)
• The company investigates the severity of the breach.
• Notify anyone whose data was jeopardized “without delay.”

But there are clear errors companies can make in response to data breaches. “One key mistake is delaying breach notification,” says Klaus. “Some firms forget to document their internal response process, which can lead to heavier fines. Clear internal protocols and regular drills help avoid this.”

Basalla adds: “Mistakes in breach response follow a similar pattern. Someone finds a data issue and waits for internal sign-off before reporting it. That delay can wreck you. GDPR gives 72 hours from the moment of discovery, not confirmation. The clock doesn’t pause.”

How to comply with the ePrivacy Directive pending

While GDPR compliance can seem complex, building internal frameworks helps manage risk — especially while regulatory interpretations continue to evolve. With the proposed ePrivacy Regulation still pending, multinational businesses caught between evolving EU frameworks need interim compliance strategies.

“In the meantime,” says Klaus, “I recommend businesses implement consent management platforms (CMPs) that follow strict opt-in rules by default. It’s safer to treat the ePrivacy Directive like it’s already aligned with GDPR’s stricter consent standard. Documentation of internal policies and regular audits also show good faith in case of regulator scrutiny."

Basalla agrees and offers additional technical advice: “Until the ePrivacy Regulation finalizes, the safest move is to default to the stricter standard. Segment consent systems per region. Run EU traffic through one path, U.S. through another. Use IP detection, respect Do Not Track headers, and log everything.”

He adds that some of his clients spend “around 40 extra development hours per quarter just maintaining that structure... Is it fun? No. Is it safer? Definitely!”

FAQs

Bottom line

Although complying with GDPR standards may seem daunting, if your company is vigilant in understanding GDPR and training employees on security principles, you can ensure compliance with ease.

Evaluating your company’s privacy policy and cookie policy is a good way to ‌ensure compliance with GDPR. Understanding the GDPR and whether your company complies can help you avoid a large GDPR fine.

The GDPR revolutionized data security for consumers and placed a burden on companies to ensure they are working to protect their customers' data. Although the GDPR is law in Europe, the standards apply to any company that does business in the European Union. Along with the GDPR, other states and countries have also enacted their own data security legislation that should also be evaluated.

Meet the experts