GDPR fundamentals

What is GDPR?

Updated April 2026EU GDPR 2016/679EDPB aligned

GDPR — the General Data Protection Regulation (EU) 2016/679 — is the European Union's primary data protection law. It applies to every organisation that processes personal data of individuals in the EU, regardless of where the organisation is established. It replaced the 1995 Data Protection Directive and has been the global benchmark for data protection regulation since May 2018.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

GDPR stands for General Data Protection Regulation. Formally Regulation (EU) 2016/679, it applies directly in all EU member states without requiring national implementing legislation. It entered into force on 25 May 2018, replacing the EU Data Protection Directive 1995. Unlike a directive, a regulation has direct effect — the same rules apply across all 27 member states, though member states retain some discretion in specific areas addressed by the regulation itself.

The UK retained EU GDPR as UK GDPR after Brexit. The two regimes are now separate — EU GDPR is supervised by national data protection authorities and the European Data Protection Board (EDPB); UK GDPR is supervised by the ICO. See the UK GDPR guide for the UK framework.

Source: Regulation (EU) 2016/679; EDPB guidelines

Who GDPR applies to

GDPR applies to any organisation established in the EU that processes personal data in the context of that establishment. It also applies — under Article 3(2) — to organisations established outside the EU that offer goods or services to individuals in the EU, or that monitor the behaviour of individuals in the EU. A US company selling to French consumers, an Australian SaaS platform used by German businesses, a UK organisation with EU customers — all are subject to EU GDPR for that processing.

There is no minimum size threshold. A sole trader operating in Italy, a two-person startup in the Netherlands, a large multinational headquartered in Ireland — all are data controllers subject to the full framework. Some obligations are calibrated to the nature and scale of processing rather than organisational size, but the core principles apply universally.

The six principles

Article 5 sets out six principles that govern all processing of personal data. Every compliance programme must demonstrate adherence to all six:

Lawfulness, fairness and transparency — processing must have a legal basis, must not be deceptive, and individuals must be informed
Purpose limitation — data collected for one purpose cannot be used for an incompatible purpose without fresh consent or legal basis
Data minimisation — only data adequate, relevant, and limited to what is necessary should be collected
Accuracy — personal data must be accurate and kept up to date
Storage limitation — data must not be kept longer than necessary for the purpose for which it was collected
Integrity and confidentiality — appropriate security measures must protect against unauthorised access, loss, or destruction

The accountability principle in Article 5(2) is the most significant from an enforcement perspective: controllers must be able to demonstrate compliance with all six principles. A documented, evidenced compliance programme is not optional — it is the mechanism by which accountability is demonstrated.

Source: EU GDPR Article 5

Supervisory authorities and the EDPB

Each EU member state has a national supervisory authority (DPA) responsible for enforcing GDPR within its territory. Germany has multiple DPAs at Lander level; France has the CNIL; Ireland has the DPC; Spain has the AEPD. Where an organisation operates across multiple member states, the one-stop-shop mechanism under Article 60 designates a lead supervisory authority — typically the DPA of the member state where the organisation has its main establishment.

The European Data Protection Board (EDPB) is the EU-wide body composed of the heads of each national DPA. It issues binding decisions on cross-border cases and publishes guidelines on the interpretation of GDPR that national DPAs must take into account. EDPB guidelines are the authoritative interpretation of how GDPR applies in practice.

Source: EU GDPR Articles 51–76; EDPB guidelines

Fines and enforcement

Article 83 provides for administrative fines of up to €20 million or 4% of annual worldwide turnover for the most serious breaches, and up to €10 million or 2% for less severe infringements. EU enforcement has produced some of the largest data protection fines in history — Meta has received multiple fines exceeding €1 billion from the Irish DPC, Google has been fined by the CNIL, Amazon by the Luxembourg CNPD. SME fines are typically far smaller but are real — national DPAs across the EU actively enforce against small organisations, particularly for SAR failures and inadequate security.

What compliance requires

A structured GDPR compliance programme covers five interconnected areas: data audit and mapping; lawful basis and consent; privacy notices, policies, and third-party agreements; data subject rights and security; and training, accountability, and ongoing governance. Each area produces evidence — not just decisions — because the accountability principle requires proof of compliance, not assertion of it.

Record this. Document your lawful basis for every processing activity, your data audit findings, every policy in force, and every governance decision with the date it was made. National DPAs expect organisations to produce these records on request — they cannot be reconstructed after the fact.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.