GDPR: General Data Protection Regulation
If you collect, store, or process personal data of EU residents (emails, names, IP addresses, cookies), GDPR requires you to protect that data, respect individual rights, and report breaches within 72 hours.
GDPR in Plain English
GDPR is the EU's privacy law that says if you collect any personal information about people in Europe, you must protect it properly and respect their rights. This includes obvious things like names and emails, but also less obvious data like IP addresses, cookies, and device IDs.
Sponsored Content
Start Here - Pick What Fits You Best
Choose your approach based on your business type and current compliance level
Quick Assessment
Check your GDPR compliance status and get personalized recommendations
Browse GDPR Articles
Read all 99 GDPR articles with highlights and notes
Website Audit
Scan your website for GDPR compliance issues
Create Privacy Policy
Generate a compliant privacy policy for your business
Download Checklist
Get a complete GDPR compliance checklist to work offline
Breach Response Kit
Get ready for potential data breaches with response templates
Get Expert Help
Work with our privacy compliance specialists
Your 8-Step Path to GDPR Compliance
Follow these steps to achieve full compliance. Each step builds on the previous one, creating a comprehensive compliance program.
1. Map Your Data Processing
Understand what personal data you collect, where it comes from, and how you use it
Key Actions
- List all personal data you collect (names, emails, IPs, cookies, etc.)
- Document where the data comes from (website forms, purchases, etc.)
- Map how data flows through your systems
- Identify who has access to personal data
Available Tools
Real Examples
2. Establish Legal Basis for Processing
Ensure you have valid legal grounds for collecting and using personal data
Key Actions
- Identify legal basis for each type of data processing
- Update privacy policies with clear legal basis statements
- Implement consent mechanisms where needed
- Document legitimate interests assessments
Available Tools
Real Examples
3. Implement Data Subject Rights
Set up processes to handle individual requests about their personal data
Key Actions
- Create procedures for access requests (right to know)
- Set up data rectification and erasure processes
- Implement data portability for data export
- Establish objection and restriction handling
Available Tools
Real Examples
4. Implement Privacy by Design
Build privacy protection into your systems and processes from the start
Key Actions
- Review all systems for privacy-friendly defaults
- Implement data minimization (collect only what you need)
- Add privacy impact assessments to new projects
- Set up automatic data retention and deletion
Available Tools
Real Examples
5. Secure Personal Data
Protect personal data with appropriate technical and organizational measures
Key Actions
- Encrypt personal data in transit and at rest
- Implement access controls and authentication
- Set up regular security assessments
- Train staff on data protection
Available Tools
Real Examples
6. Manage Third-Party Processors
Ensure vendors and partners also protect personal data properly
Key Actions
- List all vendors who process personal data
- Sign data processing agreements (DPAs) with each vendor
- Assess vendor security and privacy practices
- Monitor vendor compliance regularly
Available Tools
Real Examples
7. Set Up Data Governance
Create oversight and accountability for data protection across your organization
Key Actions
- Appoint a Data Protection Officer (if required)
- Assign data protection responsibilities to staff
- Create regular privacy compliance reviews
- Document all data protection policies and procedures
Available Tools
Real Examples
8. Prepare for Data Breaches
Create processes to detect, respond to, and report data breaches within 72 hours
Key Actions
- Define what counts as a personal data breach
- Create step-by-step breach response procedures
- Set up 72-hour reporting to supervisory authorities
- Prepare breach notification templates for data subjects
Available Tools
Real Examples
What GDPR Actually Requires You to Do
Lawful Basis
Have valid legal grounds for processing personal data
- • Consent
- • Contract necessity
- • Legitimate interests
Data Subject Rights
Enable individuals to control their personal data
- • Right to access
- • Right to erasure
- • Right to portability
Privacy by Design
Build privacy protection into systems by default
- • Data minimization
- • Privacy-friendly defaults
- • Proactive protection
Breach Notification
Report data breaches within 72 hours
- • Authority notification
- • Data subject notification
- • Breach documentation
Data Protection Officer
Appoint DPO when required by law
- • Public authorities
- • Large-scale monitoring
- • Special category data
Documentation
Maintain records of processing activities
- • Processing register
- • Privacy policies
- • Impact assessments
Sponsored Content
Free GDPR Compliance Tools
Gap Analysis Tool
Assess your current GDPR compliance status
Privacy Policy Generator
Create compliant privacy policies for your website
Cookie Checker
Audit your website cookies for GDPR compliance
Data Audit Tool
Comprehensive audit of your data processing activities
Breach Response Kit
Templates for 72-hour breach notification requirements
DPO Assessment
Check if you need a Data Protection Officer
Sponsored Content
Common GDPR Questions
Who needs to comply with GDPR?
GDPR applies to any organization that processes personal data of EU residents:
- EU companies processing personal data
- Non-EU companies offering goods/services to EU residents
- Non-EU companies monitoring EU residents' behavior
- Size doesn't matter - applies to all organizations
What counts as personal data under GDPR?
Personal data is any information relating to an identified or identifiable person:
- Names, email addresses, phone numbers
- IP addresses, device IDs, location data
- Photos, videos, audio recordings
- Online identifiers, cookies, user IDs
- Financial information, health records
- Any data that can identify someone directly or indirectly
Do I need a Data Protection Officer (DPO)?
You must appoint a DPO if your organization:
- Is a public authority or body
- Engages in large-scale systematic monitoring
- Processes large-scale special category data (health, biometric, etc.)
- Note: Most small websites and apps don't need a DPO
What's the difference between controllers and processors?
Understanding your role determines your responsibilities:
- Controller: Decides why and how personal data is processed (you set the rules)
- Processor: Processes personal data on behalf of the controller (you follow their rules)
- Joint controllers: Multiple organizations jointly decide processing purposes
- Most businesses are controllers for their customer data
How long can I keep personal data?
GDPR requires data minimization and storage limitation:
- Keep data only as long as necessary for the original purpose
- Delete data when the legal basis no longer applies
- Some data may need longer retention for legal compliance
- Document your retention periods in a retention policy
What about international data transfers?
Transferring personal data outside the EU requires additional safeguards:
- Adequacy decisions: EU approves certain countries as 'safe'
- Standard Contractual Clauses (SCCs): Contractual protection
- Binding Corporate Rules (BCRs): For multinational companies
- US companies: Data Privacy Framework (replacing Privacy Shield)
Ready to Get GDPR Compliant?
GDPR has been in effect since 2018. If you're not compliant yet, start today with our free assessment.