AuditXYZ

Compliance Framework

General Data Protection Regulation (EU) 2016/679

The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.

$10,000–$250,0003–12 months2016 (enforced May 25, 2018)
Request a ConsultationSee process
Issuing BodyEuropean Parliament and Council of the European Union
First Published2016-04-27
Latest Version2016 (enforced May 25, 2018)
Typical Cost$10,000–$250,000
Typical Timeline3–12 months
Audit RequiredNo
Audit FrequencyNo mandatory external audit, but Data Protection Impact Assessments (DPIAs) required for high-risk processing. Supervisory authorities may conduct audits at any time.
Geographyeu, eea, global

GDPR: The Complete Guide

The General Data Protection Regulation is the European Union's landmark privacy law that has reshaped how organizations worldwide handle personal data. Enacted in 2016 and enforced since May 25, 2018, the GDPR applies to any organization that processes the personal data of individuals located in the EU or EEA, regardless of where the organization itself is based.

What the GDPR Covers

The GDPR establishes six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document which basis applies to each processing activity before data collection begins.

Data subjects are granted extensive rights including access, rectification, erasure ("right to be forgotten"), data portability, restriction of processing, and the right to object. Controllers must respond to valid requests within one month.

Who Needs to Comply

Any organization that offers goods or services to EU residents or monitors their behavior falls within the GDPR's scope. This extraterritorial reach means that a SaaS company in San Francisco serving European customers is just as bound by the regulation as a Berlin-based startup.

Organizations processing personal data on a large scale or handling special categories of data (health, biometric, genetic) must appoint a Data Protection Officer and conduct Data Protection Impact Assessments for high-risk activities.

Enforcement and Penalties

Supervisory authorities in each EU member state enforce the GDPR. Penalties reach up to 20 million euros or 4% of annual global turnover, whichever is higher. Since enforcement began, regulators have issued billions of euros in fines, with major penalties against technology companies, airlines, and financial institutions.

Practical Compliance Steps

  1. Data mapping — Inventory all personal data flows and processing activities
  2. Legal basis identification — Document the lawful basis for each processing activity
  3. Privacy notices — Update notices to meet GDPR transparency requirements
  4. Rights mechanisms — Implement processes to handle data subject requests
  5. Vendor management — Execute Data Processing Agreements with all processors
  6. Breach response — Establish a 72-hour breach notification procedure
  7. Training — Educate staff on data protection obligations and incident reporting

Compliance is not a one-time project. Organizations must continuously monitor processing activities, update records, and adapt to evolving regulatory guidance from supervisory authorities.

Get the GDPR starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

ccpalgpdpipedaiso-27701fadp

Get matched with a GDPR auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
FADP (nDSG)
Framework
Switzerland's revised FADP modernizes the country's data protection framework to align closely with the GDPR, introducing enhanced transparency obligations, breach notification requirements, and significant personal liability for violations.
View
ISO 27701
Framework
ISO 27701 extends ISO 27001 with a privacy information management system (PIMS). Learn how it helps organizations demonstrate GDPR compliance and manage personal data responsibly.
View
LGPD
Framework
Brazil's LGPD is a comprehensive data protection law closely modeled on the GDPR, establishing rights for data subjects, obligations for controllers and processors, and enforcement by the ANPD. This guide covers legal bases, data subject rights, and practical compliance.
View
PIPEDA
Framework
PIPEDA is Canada's federal private-sector privacy law built on ten fair information principles. It governs how commercial organizations collect, use, and disclose personal information in the course of business activities.
View

Recommended Tools

Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Aravo Review 2026: Pricing, Features, and Verdict
Tool
Review of Aravo, an enterprise third-party governance platform. Covers anti-bribery compliance, ESG due diligence, and supply chain risk management.
View
AuditBoard Review 2026: Pricing, Features, and Verdict
Tool
Review of AuditBoard, an internal audit and GRC platform. Covers SOX compliance, audit management, pricing, and comparison with legacy GRC platforms.
View