The EU's General Data Protection Regulation (GDPR)

The EU’s General Data Protection Regulation (GDPR) took effect on May 25, 2018, and has since become the de-facto global benchmark for data privacy law. Cumulative fines imposed under GDPR have crossed €5 billion, with single-action enforcement actions reaching nine and ten figures. The regulatory landscape has continued to evolve substantially: the Schrems II ruling (July 2020) invalidated the EU-US Privacy Shield, the EU-US Data Privacy Framework (DPF) replaced it in July 2023, post-Brexit the UK now operates its own UK GDPR, and the EU AI Act, Digital Services Act, and Digital Markets Act have layered additional compliance obligations on top.

This guide explains what GDPR is, who it applies to, what it requires, the most consequential 2018-2026 enforcement actions and rulings, and how to align your organization with current obligations. The fundamentals haven’t changed since 2018 — what has changed is the enforcement maturity, the cross-border-transfer mechanics, and the wider data-protection regulatory ecosystem GDPR now sits inside.

What is GDPR?

GDPR is a European Union regulation that governs how personal data of EU residents is collected, processed, stored, and shared. Approved in April 2016 and effective May 25, 2018, it replaced the 1995 Data Protection Directive. The regulation gives EU residents broad rights over their personal data — to access it, correct it, delete it, port it to another service, and object to certain processing. It also imposes obligations on organizations that handle that data, with penalties for non-compliance up to €20 million or 4% of global annual turnover, whichever is higher.

Core obligations include:

• Data breach notification. Organizations have 72 hours from awareness to notify the relevant supervisory authority of a personal data breach (and to notify affected individuals where the breach is high-risk).
• Lawful basis for processing. Every processing activity must have a documented lawful basis — consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Plain-language privacy notices. Information about data practices must be provided in clear, accessible language. The era of impenetrable terms-of-service text was effectively ended by GDPR (and reinforced by enforcement actions since).
• Data subject rights. Access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, and rights related to automated decision-making.
• Privacy by design and default. Privacy considerations must be built into products and processes from the start, not bolted on at the end.
• Stronger consent requirements. Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes don’t qualify; bundled consent for unrelated purposes doesn’t qualify.
• Parental consent for children. Processing personal data of children under 16 (or as low as 13 depending on member state implementation) for information-society services requires verifiable parental consent.
• Data Protection Officer (DPO) appointment for organizations whose core activities involve large-scale monitoring of individuals or processing of special-category data.

Categories of personal data protected by GDPR

GDPR’s definition of personal data is intentionally broad. Categories include:

• Identification data: name, address, ID numbers, government-issued identifiers.
• Online identifiers: IP addresses, device fingerprints, cookie IDs, advertising IDs, account usernames.
• Location data: GPS coordinates, mobile-network location data, geolocation patterns.
• Special category (sensitive) data: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation, sex life. Special category data triggers stricter processing rules.
• Biometric data: fingerprints, facial recognition, voice prints, iris scans — when processed for the purpose of uniquely identifying a person.
• Genetic data: data relating to inherited or acquired genetic characteristics.
• Health data: physical or mental health, healthcare provision, related identifiers.
• Children’s data: data about persons under age 16 (or 13-16 depending on member state).

Who does GDPR apply to?

GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is physically located. Specifically:

• Organizations established in the EU, regardless of whether processing occurs in the EU.
• Organizations outside the EU that offer goods or services to EU residents, including via website, app, or mailing.
• Organizations outside the EU that monitor the behavior of EU residents (e.g., via web analytics, advertising tracking, biometric monitoring).

The 250-employee threshold often cited applies specifically to record-keeping obligations under Article 30 — not to the regulation as a whole. Small organizations are still subject to GDPR if they process personal data; the smallest organizations have somewhat lighter documentation requirements but the substantive obligations remain.

GDPR fines and major enforcement actions

The maximum administrative fine under GDPR is €20 million or 4% of global annual turnover, whichever is higher. Most early enforcement actions in 2018-2019 were modest; since 2020 the supervisory authorities have issued increasingly large fines. Notable enforcement actions:

• Meta (Facebook, Instagram, WhatsApp) — €1.2 billion (May 2023) from the Irish DPC for unlawful EU-US data transfers in the Schrems II aftermath. The largest GDPR fine to date.
• Amazon — €746 million (July 2021) from Luxembourg’s CNPD for advertising-targeting practices found to lack a valid legal basis.
• TikTok — €345 million (September 2023) from the Irish DPC for processing children’s data without sufficient safeguards.
• Meta — €390 million (January 2023) for relying on contract necessity rather than consent for behavioral advertising.
• Google — €50 million (January 2019) from France’s CNIL — the first major GDPR fine — for transparency and consent failures in Android sign-up flows.
• Meta — €405 million (September 2022) from the Irish DPC for Instagram’s handling of children’s data.
• H&M — €35.3 million (October 2020) for excessive employee monitoring at a Nuremberg service center.
• British Airways — £20 million (October 2020) from the UK’s ICO for the 2018 Magecart breach affecting roughly 400,000 customers.
• Marriott — £18.4 million (October 2020) for the 2014 Starwood Hotels breach disclosed in 2018.

Cumulative GDPR fines reached €5 billion+ by 2024-2025. The pattern: large platform companies attract the largest fines, but mid-market and small-business enforcement has expanded substantially. The Irish Data Protection Commission has been the most active high-stakes enforcer because most US tech giants have their EU headquarters in Ireland.

GDPR requirements that affect your organization

Operationally, GDPR compliance means:

• Maintain a record of processing activities (RoPA) — Article 30 register documenting what personal data you process, why, who you share it with, and how long you keep it.
• Have a lawful basis for every processing activity — consent, contract, legal obligation, vital interests, public task, or legitimate interests.
• Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing — typically large-scale systematic monitoring, large-scale processing of special category data, or new technologies.
• Honor data subject rights within statutory deadlines (usually 1 month, extendable to 3 in complex cases).
• Implement appropriate technical and organizational measures for data security — encryption, access controls, audit logging, vulnerability management.
• Have a documented breach response process capable of producing a 72-hour notification to the supervisory authority.
• Manage cross-border data transfers via approved mechanisms (DPF for US transfers, SCCs for other third-country transfers, BCRs for intra-corporate transfers).
• Maintain compliant privacy notices covering all required Article 13/14 disclosures.
• Vet processors and sub-processors via Article 28 data processing agreements (DPAs).

How to tell if GDPR applies to you

Quick test: do any of the following describe your organization?

• You have EU residents in your customer, user, or subscriber base.
• You ship products or provide services to people in the EU.
• Your website is accessible to EU residents and uses analytics, advertising, or other tracking.
• You process EU residents’ data on behalf of another organization (e.g., as a SaaS vendor).
• You have employees, contractors, or vendors in the EU.

If yes to any, GDPR applies. The territorial scope is broad and most organizations with any digital presence touching EU residents fall within it.

Cross-border data transfers (post-Schrems II)

Cross-border data transfer rules have evolved substantially since 2018:

• Schrems II (July 16, 2020) — the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework, ruling that US surveillance laws didn’t provide essentially equivalent protection to GDPR. Forced reassessment of all EU-US transfer mechanisms.
• Updated Standard Contractual Clauses (SCCs) — June 4, 2021 — the European Commission published new SCCs replacing the 2010/2001 versions. Required for most third-country transfers.
• EU-US Data Privacy Framework (DPF) — adopted July 10, 2023 — the Privacy Shield replacement. US companies that self-certify to the DPF can receive personal data from EU controllers without additional safeguards. The framework includes the Trans-Atlantic Data Privacy Framework, plus parallel UK and Swiss extensions.
• Transfer Impact Assessments (TIAs) — controllers using SCCs must assess whether the destination country provides essentially equivalent protection and document supplementary measures where needed.
• Binding Corporate Rules (BCRs) remain available for intra-corporate transfers in multinational organizations.

The UK GDPR (post-Brexit)

The UK left the EU in January 2020, with a transition period through end of 2020. Effective January 1, 2021, the UK operates its own UK GDPR — substantively identical to EU GDPR but enforced by the UK’s Information Commissioner’s Office (ICO) under the Data Protection Act 2018. The European Commission has issued an adequacy decision for the UK (June 2021), allowing data flows from the EU to the UK without additional safeguards. Adequacy decisions are reviewed periodically; the current decision is valid until June 27, 2025 and will be reassessed before then.

How to align with GDPR

Revise privacy policies

Article 13 and 14 require specific information be provided to data subjects: identity and contact details of the controller, contact details of the DPO, purposes and legal basis of processing, recipients, retention periods, data subject rights, transfer mechanisms, and sources of data. Privacy notices written before 2018 are almost certainly missing required elements; updates should be reviewed against current EDPB guidance.

Get active consent (where consent is the legal basis)

If you rely on consent: it must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. Pre-ticked boxes, bundled consents, and consent walls that condition service on agreement to non-essential processing don’t qualify. The cookie-banner-as-dark-pattern has been actively enforced against — France’s CNIL fined Google €150 million in January 2022 specifically for cookie consent design.

Integrate IT, legal, and marketing teams

GDPR compliance is cross-functional. Marketing teams handle consent and tracking; IT handles security and breach response; legal handles contracts and DPIAs. Without integration, gaps appear — particularly around how third-party tools (analytics, advertising, customer data platforms) handle personal data.

Practice data mapping

You can’t protect data you don’t know you have. Most modern GDPR programs use a data-mapping platform (OneTrust, Securiti, TrustArc, Osano, BigID, Termly) to inventory data flows across systems. Maps feed RoPAs, DPIAs, and breach response.

Set up extra protection for children’s data

The TikTok €345 million fine (September 2023) underscored that children’s data triggers heightened scrutiny. If your service has any users under 16 (or under 13-16 depending on member state implementation), you need verifiable parental consent mechanisms and age-appropriate design choices.

Check Google Analytics and similar trackers

Multiple EU supervisory authorities (Austria, France, Italy, Denmark, Norway) have ruled that Google Analytics’ data transfers to the US violate GDPR. The 2023 EU-US Data Privacy Framework provides a path to compliance via DPF certification, but organizations must still audit their analytics, advertising, and CDP setups for compliance. Server-side tagging, anonymized IPs, and consent-mode integrations are common technical mitigations.

Vet third-party vendors

Article 28 requires written contracts (Data Processing Agreements, DPAs) between controllers and processors. The DPA must cover specific topics: subject matter, duration, nature, purpose of processing, types of personal data, and data subject categories. Reviewing DPAs from your vendors annually is now standard.

Provide clear deletion and portability options

Data subjects have a right to request deletion (Article 17) and portability (Article 20) of their data. Build the workflow before the request comes in — manual ad-hoc handling doesn’t scale and is error-prone.

Conduct DPIAs for high-risk processing

Article 35 requires Data Protection Impact Assessments before processing that’s likely to result in a high risk — large-scale automated decision-making, large-scale special category data processing, public-area systematic monitoring, or new technologies. The ICO and EDPB publish lists of activities triggering mandatory DPIA.

Be ready to detect, investigate, and report breaches

The 72-hour notification clock starts when you become aware of a breach, not when investigation completes. That requires preparation: incident response runbooks, legal-team notification procedures, supervisory-authority contacts, and communication templates for affected individuals. Many GDPR fines have included aggravating factors for delayed or incomplete breach notification.

Build privacy by design into new projects

Article 25 requires that privacy be considered at design time, not as a post-hoc add-on. Privacy-by-design checks should be part of product development workflow alongside security and accessibility reviews.

Be careful with algorithms and automated decisions

Article 22 restricts solely automated decision-making with legal or similarly significant effects on individuals. The 2024 EU AI Act layers additional obligations on top — particularly for high-risk AI systems including credit decisioning, employment screening, biometric identification, and law enforcement use. GDPR and AI Act compliance now overlap substantially.

Audit your data periodically

Annual data audits surface unused data that should be deleted (data minimization), out-of-date access controls, and processing that has drifted from documented purposes. Modern data-discovery tools (BigID, Spirion, Collibra, Atlan) automate substantial parts of this.

Consider hiring a Data Protection Officer (DPO)

Article 37 mandates a DPO for organizations whose core activities involve large-scale systematic monitoring of individuals, large-scale processing of special category data, or where DPOs are designated as required by member state law. Smaller organizations not required to appoint a DPO often benefit from naming a privacy lead anyway. The DPO must report directly to senior management and be free from conflicts of interest.

GDPR in the wider 2026 regulatory landscape

GDPR no longer stands alone. Other key regulations layered on top or alongside:

• EU AI Act — entered into force August 1, 2024 with phased compliance through 2026-2027. Classifies AI systems by risk; high-risk systems face conformity assessments, transparency, and human oversight obligations. Heavily intersects with GDPR for AI systems processing personal data.
• Digital Services Act (DSA) — applicable since February 2024 for general platforms. Imposes content-moderation, transparency, and risk-management obligations on online platforms.
• Digital Markets Act (DMA) — applicable since March 2024. Imposes pro-competition obligations on designated “gatekeepers” (large platforms).
• NIS2 Directive — cybersecurity requirements applicable since October 2024 for essential and important entities.
• Data Act — applicable from September 2025. Addresses access to and use of data generated by connected devices and services.
• UK Data Protection and Digital Information (DPDI) Bill — proposed UK reforms to UK GDPR; status fluctuated through 2023-2025 with multiple drafts.
• U.S. state privacy laws — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Tennessee, Texas, Florida, Oregon, Montana, Iowa, Indiana, Delaware, New Jersey, New Hampshire, Kentucky, Rhode Island, Minnesota, Maryland, and others — broadly modeled on GDPR principles, with variations in scope and enforcement.

Most large multinational organizations now run a unified privacy program covering GDPR, UK GDPR, the U.S. state laws, and other jurisdiction-specific regimes (Brazil’s LGPD, China’s PIPL, India’s DPDP Act, etc.). The fundamental compliance work is similar across all of them; the legal nuances vary by jurisdiction.

Frequently asked questions

Does GDPR apply to my US-based small business?

If you sell products or services to EU residents, monitor EU residents’ behavior (e.g., via website analytics or advertising), or have any EU-based employees or contractors, then yes. Small businesses face the same substantive obligations as large ones, with somewhat lighter record-keeping requirements where Article 30 thresholds aren’t met.

What’s the largest GDPR fine to date?

Meta’s €1.2 billion fine in May 2023 from the Irish Data Protection Commission for unlawful EU-US data transfers — issued in the Schrems II aftermath. Cumulative GDPR fines have crossed €5 billion across all enforcement actions.

Is the EU-US Data Privacy Framework (DPF) safe to rely on?

The DPF (adopted July 10, 2023) provides a current legal basis for EU-US personal data transfers. However, privacy advocate Max Schrems has indicated intent to challenge the DPF as he challenged Privacy Shield (Schrems II) — “Schrems III” is expected. Organizations relying on DPF should plan for the framework to be challenged and prepare alternative transfer mechanisms (SCCs with TIAs, BCRs).

How do GDPR and the U.S. state privacy laws differ?

U.S. state laws (CCPA/CPRA, etc.) are broadly modeled on GDPR principles but have significant differences: most apply only to businesses meeting revenue or volume thresholds, the rights are narrower (no broad “right to erasure” in most states), enforcement is typically by state AG rather than independent supervisory authorities, and penalties are generally lower. A GDPR-compliant program covers most U.S. state law obligations but not all — vendor management, sale-of-data definitions, and sensitive-data definitions vary meaningfully.

What happens if a US company is hit with a GDPR fine?

EU supervisory authorities can issue fines against any organization subject to GDPR. Enforcement against US organizations without EU presence has historically been limited but is increasing — in some cases via cooperation with US authorities, in others via blocking access to EU markets, and in others via judgments enforced through international cooperation mechanisms. The Irish DPC has been the most prolific high-stakes enforcer because most US tech firms’ EU headquarters are in Dublin.

Where can I find authoritative GDPR guidance?

The European Data Protection Board (EDPB) publishes binding guidelines, opinions, and decisions. Member-state supervisory authorities (CNIL in France, ICO in UK/UK GDPR, DPC in Ireland, Garante in Italy, BfDI in Germany, etc.) publish national-level guidance. The GDPR text itself is freely available.

Conclusion

GDPR fundamentally reset data privacy expectations globally — beyond the EU itself, it shaped the wave of US state privacy laws, Brazil’s LGPD, China’s PIPL, India’s DPDP Act, and the UK’s post-Brexit framework. The 2018 fundamentals haven’t changed: lawful basis, data subject rights, breach notification, privacy by design. What has changed is the enforcement maturity (multi-billion-euro cumulative fines), the cross-border transfer rules (Schrems II, DPF, updated SCCs), the sister regulations (AI Act, DSA, DMA, NIS2, Data Act), and the global landscape of equivalent rules. Organizations that built compliance programs in 2018-2019 need to revisit them — supervisory authorities have published substantial guidance since, enforcement priorities have shifted, and the wider regulatory ecosystem has substantially changed the picture.