What GDPR is
GDPR is the General Data Protection Regulation (Regulation EU 2016/679), in force since May 25, 2018. It governs how organizations process personal data of people in the EU and EEA, and is enforced by national data-protection authorities — the ICO in the UK (under UK GDPR), CNIL in France, Bundesbeauftragte in Germany, and so on.
Who GDPR applies to
- You're established in the EU (legal entity, branch, employees).
- You offer goods or services to people in the EU, even free ones (Article 3(2)(a)). Euro pricing, EU-language site versions, or shipping to EU addresses are signals.
- You monitor behavior of people in the EU (Article 3(2)(b)) — analytics, retargeting, tracking pixels.
Key terms
- Personal data. Any information relating to an identified or identifiable person — names, emails, IPs, cookie IDs, device fingerprints. Much broader than US "PII."
- Special category data. Health, biometric, genetic, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, trade-union membership. Higher protection (Article 9).
- Data controller. Determines purposes and means of processing. Usually your customer if you're a B2B SaaS.
- Data processor. Processes data on the controller's behalf. Usually you (the SaaS).
- Data subject. The natural person whose data is processed.
The 6 lawful bases (Article 6)
- Consent — freely given, specific, informed, unambiguous, as easy to withdraw as to give. Pre-ticked boxes don't count.
- Contract — necessary to perform a contract with the data subject, or pre-contractual steps at their request.
- Legal obligation — required by EU or member-state law.
- Vital interests — protecting someone's life. Rare for SaaS.
- Public task — only for public authorities.
- Legitimate interests — balanced against data subject's rights via a documented Legitimate Interests Assessment (LIA).
The 8 data subject rights
- Right to be informed (Articles 13-14) — your privacy notice must explain what data, why, and on what basis.
- Right of access (Article 15) — subjects can request a copy of everything you hold ("subject access request" / SAR).
- Right to rectification (Article 16) — correct inaccurate data.
- Right to erasure / right to be forgotten (Article 17) — delete their data, with limited exemptions.
- Right to restrict processing (Article 18) — pause processing while a dispute is resolved.
- Right to data portability (Article 20) — receive data in machine-readable format, or transmit to another controller.
- Right to object (Article 21) — to legitimate-interests processing, direct marketing, or research.
- Rights re: automated decision-making (Article 22) — including human review of significant automated decisions.
You must respond within 30 days, free of charge. Build the SAR workflow before you have to use it.
DPIA, DPO, DPA, SCCs
- DPIA (Data Protection Impact Assessment) — required before high-risk processing (Article 35). Large-scale special-category data, systematic monitoring, automated decisions with legal effects.
- DPO (Data Protection Officer) — required if you're (a) a public authority, (b) doing large-scale systematic monitoring, or (c) doing large-scale special-category processing.
- DPA (Data Processing Agreement) — required between every controller and processor under Article 28.
- SCCs (Standard Contractual Clauses) — required for transferring data to non-adequate countries (US, India, China). Current set: EU 2021 SCCs, often paired with a Transfer Impact Assessment after Schrems II.
Breach notification
- To your supervisory authority: within 72 hours of becoming aware, unless unlikely to result in risk (Article 33).
- To data subjects: without undue delay if breach is likely to result in high risk (Article 34).
- Maintain a breach register of every breach, regardless of reportability. Auditors will ask.
Penalties
| Tier | Max fine | Examples |
|---|---|---|
| Lower (Article 83(4)) | €10M or 2% global turnover | Missing DPO, inadequate DPIA, breach-notification failures, record-keeping |
| Higher (Article 83(5)) | €20M or 4% global turnover | Processing without lawful basis, ignoring rights requests, illegal transfers, special-category violations |
Big-ticket fines (Meta €1.2B, Amazon €746M, TikTok €345M) make headlines but most SME enforcement is €10K-€500K. Reputational damage usually hurts more than the fine.
GDPR vs other privacy regulations
| Regulation | Geography | Notes |
|---|---|---|
| GDPR | EU + EEA | Sets the bar globally |
| UK GDPR + DPA 2018 | UK | Near-identical to EU GDPR post-Brexit |
| CCPA / CPRA | California | Similar shape, narrower rights, revenue/data thresholds |
| LGPD | Brazil | Closely modeled on GDPR |
| PIPL | China | GDPR-shaped with strict data-localization |