General Data Protection Regulation (GDPR)

EU data protection framework governing personal data processing, consent, and cross-border transfers.

Adopted in 2016 and enforceable since 25 May 2018, the General Data Protection Regulation has become the global benchmark for data privacy legislation. GDPR replaced the 1995 Data Protection Directive with a directly applicable regulation, creating a single, harmonised framework for how organisations collect, store, process, and share personal data of individuals located in the European Economic Area. Its extraterritorial reach means that any company worldwide offering goods or services to EU residents, or monitoring their behaviour, must comply.

GDPR affects virtually every organisation that handles personal data, from multinational corporations and tech platforms to SMEs, hospitals, and public authorities. The regulation grants individuals a comprehensive set of rights, including the right to access, rectify, and erase their data, the right to data portability, and the right to object to automated decision-making. Organisations must demonstrate a lawful basis for processing, such as consent, contractual necessity, or legitimate interest, and must implement data protection by design and by default.

Key compliance obligations include appointing a Data Protection Officer where required, maintaining records of processing activities, conducting Data Protection Impact Assessments for high-risk processing, and reporting personal data breaches to supervisory authorities within 72 hours. Cross-border data transfers outside the EEA are subject to strict safeguards, including adequacy decisions, Standard Contractual Clauses, and Binding Corporate Rules. The regulation also imposes significant accountability requirements, compelling organisations to demonstrate compliance through documentation and governance measures.

Enforcement has been vigorous. National Data Protection Authorities have collectively issued billions of euros in fines since 2018, with landmark penalties against major technology companies setting precedent across sectors. The one-stop-shop mechanism allows companies with cross-border operations to deal primarily with a single lead supervisory authority, though cooperation between DPAs remains complex in practice.

GDPR interacts closely with the ePrivacy Directive, which governs electronic communications and cookie consent, and with the EU AI Act, which adds specific transparency and data governance requirements for artificial intelligence systems. The Digital Services Act also builds on GDPR principles by imposing content-related obligations on online platforms. For businesses, GDPR compliance is not a one-time project but an ongoing governance discipline that underpins trust, market access, and competitive positioning in the digital economy.

Select your company type for tailored compliance guidance.