The General Data Protection Regulation: A Complete Guide for Businesses

The General Data Protection Regulation is now over six years old, and enforcement shows no signs of slowing. Yet many businesses — including those that have invested in compliance programmes — still operate with significant gaps in their understanding of what the regulation actually requires. This guide covers the essentials: history, scope, principles, individual rights, and operational requirements.

Where GDPR came from

The European Commission first proposed a comprehensive reform of EU data protection rules in 2012. The previous framework — the 1995 Data Protection Directive — required national transposition, which produced inconsistent rules across member states. A company operating in Germany and France faced two meaningfully different data protection regimes.

Negotiations took four years, reflecting genuine tension between privacy rights and commercial interests. The regulation was formally adopted on 27 April 2016 and entered into force on 25 May 2016, with a two-year implementation period. Enforcement began on 25 May 2018.

The regulation was shaped by several converging pressures: growing public concern about tech company data practices, a string of major data breaches in the early 2010s, the Snowden revelations of 2013, and the European Court of Justice's Schrems I ruling in 2015, which invalidated the EU-US Safe Harbour framework for data transfers.

Who GDPR applies to

GDPR has significant extraterritorial scope under Article 3. It applies to any organisation processing the personal data of individuals in the EU or EEA, regardless of where the organisation is established. A US company whose app is used by EU residents is within scope. A Singapore-based SaaS platform that serves European enterprise customers is within scope.

The regulation distinguishes two key roles: controllers, who determine the purposes and means of processing, and processors, who process data on behalf of controllers. Both carry legal obligations, but controllers bear primary responsibility.

The six principles of Article 5

GDPR is built on six data protection principles that apply to all processing activity:

• Lawfulness, fairness, and transparency: Processing must have a valid legal basis. Individuals must be clearly informed about how their data is used.
• Purpose limitation: Data collected for one purpose cannot be repurposed for an incompatible use without a separate legal basis.
• Data minimisation: Only collect what is actually necessary for the stated purpose. Collecting data "in case it's useful later" fails this test.
• Accuracy: Personal data must be kept accurate and up to date, with procedures to identify and correct inaccurate data.
• Storage limitation: Data must not be kept longer than necessary. Define and document retention periods for each data category.
• Integrity and confidentiality: Appropriate security measures must protect personal data against unauthorised access, loss, or destruction.

Article 5(2) adds a seventh principle — accountability — that is in many ways the most operationally demanding. Controllers must not only comply with these principles but be able to demonstrate that compliance through documentation.

The six lawful bases

Every processing activity requires a lawful basis under Article 6. There are six:

• Consent (6(1)(a)): Freely given, specific, informed, and unambiguous indication of agreement. Must be as easy to withdraw as to give. Not suitable for employment contexts due to power imbalance.
• Contract (6(1)(b)): Processing necessary for a contract with the data subject, or to take steps at their request before entering a contract.
• Legal obligation (6(1)(c)): Processing required to comply with a legal obligation. Must be a Union or member state law obligation.
• Vital interests (6(1)(d)): Processing necessary to protect someone's life. Narrow application — not a substitute for other bases.
• Public task (6(1)(e)): Processing necessary for a task in the public interest or the exercise of official authority.
• Legitimate interests (6(1)(f)): Processing necessary for the legitimate interests of the controller or a third party, where those interests are not overridden by the data subject's rights and freedoms. Requires a documented Legitimate Interests Assessment (LIA).

Individual rights — the 30-day clock

GDPR gives data subjects eight rights, each of which must be responded to within 30 calendar days (extendable to 90 days for complex requests, with notification). Missing this deadline is an independent Article 12 violation regardless of the merits of the underlying request.

• Right of access (Art. 15): Receive a copy of all personal data held, plus information about processing purposes, recipients, retention periods, and other specified details.
• Right to rectification (Art. 16): Have inaccurate or incomplete data corrected.
• Right to erasure (Art. 17): Request deletion. Subject to exemptions for legal obligations, public interest, and legitimate grounds.
• Right to restriction (Art. 18): Pause processing while a dispute is resolved or an objection is considered.
• Right to data portability (Art. 20): Receive data in a structured, machine-readable format, applicable where processing is based on consent or contract and carried out by automated means.
• Right to object (Art. 21): Object to processing based on legitimate interests or public task, and to direct marketing at any time with no grounds required.
• Rights related to automated decision-making (Art. 22): Not to be subject to solely automated decisions with significant legal effects without human review.

Key operational requirements

Beyond rights and principles, GDPR imposes several operational obligations:

• Records of Processing Activities (ROPA, Art. 30): A documented inventory of all processing activities. Must include purpose, legal basis, data categories, retention periods, recipients, and sub-processors. Required for organisations with 250+ employees, and practically for any organisation processing personal data at scale or high risk.
• Data Processing Agreements (DPAs, Art. 28): Mandatory contracts with every third-party processor. Must specify the subject matter, duration, nature, purpose, and type of processing, and impose GDPR-equivalent obligations on the processor.
• Data Protection Impact Assessments (DPIAs, Art. 35): Required before any processing likely to result in high risk — typically large-scale processing of sensitive data, systematic profiling, or use of new technologies.
• 72-hour breach notification (Art. 33): Personal data breaches must be notified to the supervisory authority within 72 hours of the controller becoming "aware." Awareness is interpreted as awareness of a reasonable probability — not certainty.
• Privacy notices (Art. 13/14): Comprehensive information provided to data subjects at or before the time of collection. Must include controller identity, contact details, processing purpose, legal basis, retention period, and data subject rights.

Enforcement and fines

GDPR introduced a two-tier fine structure. Tier 1 (up to €10 million or 2% of global annual turnover) applies to organisational failings such as inadequate records or failure to notify breaches. Tier 2 (up to €20 million or 4% of global annual turnover) applies to substantive violations of core principles, unlawful processing, or failure to respect data subject rights.

DPAs across the EU have now issued over €4 billion in total fines since 2018. The trajectory is upward. The Meta Ireland €1.2 billion fine in 2023, the Amazon €746 million fine in 2021, and the WhatsApp €225 million fine in 2021 represent the upper range — but thousands of smaller fines are issued each year for operational failures that well-run compliance programmes would have prevented.

GDPR compliance is not a project with a finish line. It is an ongoing operational programme requiring active management, regular documentation reviews, and process ownership. The companies that treat it as infrastructure rather than a one-time exercise are the ones that avoid enforcement.