What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection regulation, effective since May 25, 2018. It applies to any organization that processes personal data of individuals in the EU or European Economic Area (EEA), regardless of where the organization is based. GDPR has become the global benchmark for data protection and has influenced privacy legislation worldwide.
GDPR is built on seven key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles form the foundation for all processing obligations under the regulation.
Key Requirements
GDPR imposes specific obligations across several areas of data protection and privacy governance.
| Requirement Area | Description | Key Provisions |
|---|---|---|
| Lawful Basis | Document a valid legal basis for each processing activity | Consent, contract, legal obligation, vital interests, public task, legitimate interests |
| Data Subject Rights | Respond to individual requests within 30 days | Access, rectification, erasure, restriction, portability, objection, automated decision-making |
| Data Protection Impact Assessments | Assess high-risk processing before it begins | Systematic evaluation, necessity and proportionality, risk mitigation measures |
| International Transfers | Ensure adequate protection for cross-border data flows | Adequacy decisions, SCCs, binding corporate rules, derogations |
| Data Protection Officer | Appoint a DPO when required by regulation | Public authorities, large-scale monitoring, special category data processing |
| Records of Processing | Maintain a register of all processing activities | ROPA with purposes, categories, recipients, transfers, retention periods |
| Breach Notification | Report qualifying breaches within 72 hours | Supervisory authority notification, data subject communication, documentation |
| Privacy by Design | Embed data protection into system design and processing | Default settings, data minimization, pseudonymization, purpose limitation |
Readiness Assessment Checklist
Before engaging in a full compliance program, evaluate where your organization stands against these six readiness questions:
- Have you documented a lawful basis for each processing activity, with records that demonstrate the analysis?
- Are data subject rights procedures in place with documented workflows for all request types?
- Do you maintain a comprehensive Record of Processing Activities (ROPA) that is current and complete?
- Have you conducted Data Protection Impact Assessments (DPIAs) for high-risk processing activities?
- Are international transfer mechanisms in place for all cross-border data flows, with transfer impact assessments?
- Do you have a breach notification process that can meet the 72-hour reporting requirement?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what supervisory authorities expect across all data protection control areas, with evidence examples for each.