The General Data Protection Regulation (GDPR) is a comprehensive data protection law that safeguards the privacy and personal data of people living within the EU and the European Economic Area. GDPR governs the collection, processing, and storage of personal information.
Any organization that handles EU residents’ data must adhere to GDPR, regardless of where it is located; for example, a U.S. company that does business in the EU still must follow GDPR.
Successfully conducting business in Europe requires organizations to follow GDPR guidance—or risk hefty penalties. For example, the Information Commissioner’s Office (ICO) fined British Airways £20 million (about US$24 million) in 2020 for mishandling the personal data of 400,000 customers.
The history of GDPR
The passage of GDPR culminated decades of efforts to protect EU resident data. The final regulation incorporated principles from earlier guidance, such as the 1950 European Convention on Human Rights, which established the right to privacy as a fundamental human right. It also adopted the 2000 Charter of Fundamental Rights of the European Union, which established the right to have personal data protected.
However, GDPR’s primary precursor was the 1995 Data Protection Directive. It outlined initial standards for data privacy across member states. However, the rising number of EU internet users between the 1990s and the 2000s mandated a more robust and unified approach to data privacy. In 2012, the European Commission proposed a reform of existing data protection rules.
There were numerous motivations for reforming existing EU data regulations. EU lawmakers primarily sought to:
- Create a unified framework for data management. The hope was that one comprehensive set of regulations for the region would make compliance easier for entities that operate in the EU.
- Improve residents’ control of personal data. Lawmakers designed GDPR to enable individuals to control how their personal information is acquired, used, and potentially shared.
- Protect the privacy of individuals. Policymakers were increasingly concerned that, in some cases, organizations used personal data in a manner that violated privacy rights.
- Prevent data breaches and strengthen data security. The EU charged organizations with safeguarding their customers’ personal information and swiftly responding to data breaches.
After years of negotiations and revisions, the final text of GDPR was approved in 2016 and became enforceable on May 25, 2018. Its passage was groundbreaking and influenced other data privacy laws worldwide, such as the California Consumer Privacy Act in the U.S. and the General Data Protection Law in Brazil, both of which were passed in 2018.
What GDPR says about personal data
According to the European Commission, personal data is “any information that relates to an identified or identifiable living individual,” such as their name, contact information, or an Internet Protocol (IP) address.
Key principles of GDPR
GDPR outlines seven principles for how organizations may use personal data.
- Lawfulness, fairness, and transparency. This principle mandates that personal data should only be used in a way that is legal and fair to the resident. In addition, how a resident’s data will be used—from start to finish of their business interaction—should be transparent and easy to understand.
- Purpose limitation. Organizations must have a reason for acquiring or using personal data and must share it with the individual from the start.
- Data minimization. Only necessary data should be collected and stored.
- Accuracy. Efforts should be taken to ensure personal data is accurate.
- Storage limitation. Data should only be stored for as long as it is needed, not indefinitely.
- Integrity and confidentiality. Personal data should be stored securely.
- Accountability. Organizations must be able to demonstrate their adherence to GDPR.
A company with EU customers should create a data policy to document its compliance with the above GDPR principles.
Data subject rights
GDPR also enumerates individuals’ rights regarding their data.
- Right to be informed. Individuals should know why their personal data is being collected and how it will be used.
- Right to access. EU residents are entitled to see the acquired personal information and have access to it within one month at no cost.
- Right to rectification. Individuals can request that inaccuracies in their personal data be fixed in a timely manner.
- Right to erasure (“right to be forgotten”). Individuals may request that their personal data be permanently deleted.
- Right to data portability. EU residents have the right to access their data in a format that is easy to transfer (in essence, the data must be universally machine-readable).
- Right to restrict processing. Individuals can ask a company not to process their data.
- Right to object. EU residents may opt out of data processing for specific purposes (marketing, for example).
- Rights related to automated decision-making, including profiling. Individuals can refuse to allow computer programs to decide how their data are used.
Businesses should develop an organizational policy for handling customers’ data with their legal team or an expert third party to ensure that EU residents’ rights are upheld and compliance is maintained.
Beware that infringements on EU residents’ data rights are costly. According to DLA Piper’s 2025 GDPR Fines and Data Breach Survey, US$1.26 billion in fines were levied against businesses in 2024 for noncompliance with GDPR.
Consent requirements
GDPR establishes strict requirements for obtaining valid consent from individuals regarding their personal data processing.
Explicitly ask for consent before collecting or processing data
Under GDPR, consent must be explicit, specific, informed, and unambiguous. Individuals should be able to take clear and unambiguous actions to indicate that they consent to data collection.
Pre-ticked boxes, silence, or inactivity are prohibited as forms of consent. Organizations must also present consent requests in clear, plain language that explains the specific purposes of data collection, how the data will be used, and whether third parties will be involved.
Create clear opt-in mechanisms
Note that each distinct data processing activity requires separate opt-in or consent mechanisms. This allows people to make granular choices about how an organization uses their data.
Consent must be freely given without pressure or negative consequences. Individuals must also have the right to withdraw their consent as easily as they provided it.
To ensure compliance, organizations should seek consent using unchecked boxes or explicit opt-in mechanisms. When in doubt, make the consent process transparent and active rather than passive.
Data breach notifications
Under GDPR, organizations must report data breaches to both authorities and individuals as soon as possible and within 72 hours of becoming aware of them. When individuals are informed of a breach, they are empowered to protect themselves (to the extent possible) from potential consequences.
Consider the hacking of an online retailer doing business in the EU. Customers’ data, which could include financial information (credit card numbers, banking information), contact information (home address, phone number), and shopping history (items purchased, on-site browsing trail), could all be leaked. The retailer must inform the customer what data has been compromised so that they can take swift action, like freezing their credit card.
In addition, when reporting a data breach, companies must clearly explain to their customers what happened, what problems it might cause their customers, and what steps they are taking to fix the situation.
Controller and processor responsibilities
Under GDPR, data controllers and data processors have different roles and responsibilities regarding personal data management.
Data controllers vs. data processor
A data controller is an individual or organization that decides why and how personal data should be processed, while a data processor follows the controller’s instructions.
Data controllers bear the primary responsibility for GDPR compliance, including deciding when and how data will be collected. Data processors follow the controller’s guidelines to maintain data security.
Documentation, impact assessments, and adherence to approved codes of conduct
Both data controllers and data processors are required to create and maintain documentation of their data processing activities. Data controllers must conduct data protection impact assessments when new, potentially high-risk data processing activities are proposed. These impact assessments are designed to help identify and address potential risks before processing begins.
Both data controllers and data processors can demonstrate their commitment to compliance by following approved industry codes of conduct.
Compliance challenges
Businesses must follow GDPR rules to protect the data of EU residents. However, complying with GDPR is not always straightforward, and companies using legacy systems and third-party vendors may find it difficult.
Adapting legacy systems to comply with GDPR
Companies that use legacy data processing and storage systems have particular difficulty staying GDPR-compliant. Legacy systems, often built before modern privacy requirements, present substantial compliance challenges due to outdated security features, complex integration requirements, and lack of vendor support.
These older systems frequently store data in fragmented formats, making it difficult to implement essential GDPR requirements, such as data mapping and subject access requests.
Ensuring third-party vendors align with GDPR principles
To remain compliant with GDPR, businesses must find out if all external partners securely store data. Companies must thoroughly assess their vendors’ data handling practices, implement comprehensive compliance agreements, and maintain ongoing monitoring to prevent potential data breaches or compliance violations.
Best practices for GDPR compliance
Organizations must take proactive steps to maintain GDPR compliance through systematic data management and oversight.
- Audit data regularly. Audits can identify compliance gaps, detect potential vulnerabilities or discover breaches, ensure data accuracy, and demonstrate accountability to authorities and the public. Using tools like DataGuard for compliance audits or partnering with an EOR simplifies GDPR adherence for global businesses.
- Train employees on GDPR principles. Employees who encounter personal data in the course of their work should be taught about GDPR and the importance of handling customers’ data with care.
- Employ Data Protection Officers (DPOs) where required. For many organizations, especially those processing large amounts of sensitive data, appointing a DPO is not just a legal requirement but a strategic necessity. The DPO oversees compliance efforts and maintains robust data protection practices.
How to ensure GDPR compliance
Businesses expanding into EU territories or managing the data of EU residents must comply with GDPR mandates. That’s why many organizations partner with an Employer of Record (EOR), such as Velocity Global, to help them with their global journey and expand their global reach while being confident that they are doing so compliantly.
Feel free to reach out. We’d love to chat about what GDPR means for your business!
Disclaimer: The intent of this document is solely to provide general and preliminary information for private use. Do not rely on it as an alternative to legal, financial, taxation, or accountancy advice from an appropriately qualified professional. © 2025 Velocity Global, LLC. All rights reserved.