GDPR
Getting Started Guide

General Data Protection Regulation

The most stringent privacy law globally. Mandatory for any company processing personal data of EU/UK residents.

Audit Effort3–6 months for full compliance
Key FactFines up to €20M or 4% of global turnover

What Is GDPR?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Enacted by the European Union and entering into force in May 2018, it establishes rules for how organisations can process the personal data of EU (and UK, via UK GDPR) residents. It applies to any organisation, anywhere in the world, that targets or collects data related to people in the EU.

The regulation is built on seven key principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. It also grants individuals (data subjects) sweeping rights over their data, including the right to access, rectify, erase ('right to be forgotten'), restrict processing, and port their data.

Unlike SOC 2 or ISO 27001, GDPR is a legal mandate, not an auditable certification standard. However, non-compliance carries severe administrative fines—up to €20 million or 4% of worldwide annual turnover, whichever is higher, making it a critical board-level compliance requirement.

Does GDPR Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

B2C Companies Targeting EU/UK

Any app or e-commerce platform offering goods or services to EU/UK residents must comply, regardless of where the company is based.

Mandatory

B2B SaaS with EU/UK Customers

If your software processes personal data (even just employee emails) for EU-based enterprise clients, you act as a Data Processor and must comply.

Mandatory

AdTech and Marketing Platforms

Companies that track EU user behavior, use cookies, or profile users for advertising face the highest scrutiny under GDPR.

Mandatory
You probably don't need GDPR if:
  • Companies that operate strictly locally outside the EU/UK and actively block EU/UK users or do not offer services in those regions.
  • Organizations that process exclusively anonymized data (not pseudonymized) where individuals can never be re-identified.
  • Individuals processing personal data for purely personal or household activities.

Why GDPR Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Aggressive Enforcement

Data Protection Authorities (DPAs) across Europe are actively levying massive fines on both tech giants and mid-sized businesses for consent and processing violations.

Enterprise Vendor Procurement

EU enterprise buyers require a signed Data Processing Agreement (DPA) and proof of GDPR compliance before purchasing any SaaS tool.

Cross-Border Transfer Scrutiny

Transferring EU data to the US or India requires strict safeguards like Standard Contractual Clauses (SCCs) following recent legal rulings (Schrems II).

The Requirements

The core security controls and evidence parameters audited for GDPR.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for GDPR.

1
Weeks 1-4

Data Mapping & RoPA Setup

Identify all personal data collected, where it is stored, why it is processed, and who it is shared with.

Key Deliverable:Record of Processing Activities (RoPA), Data Flow Diagrams
2
Weeks 5-8

Privacy Policies & Consent

Update privacy notices, implement cookie banners, and ensure consent mechanisms are lawful.

Key Deliverable:External Privacy Policy, Cookie Policy, Consent UI/UX updates
3
Weeks 9-12

DSR Workflows & Security

Build the operational process for handling Data Subject Rights requests and execute DPAs with vendors.

Key Deliverable:DSR SOPs, Signed DPAs, DPIA templates
With Existing Certifications

8-10 weeks: If you have ISO 27001 or SOC 2, your security controls satisfy the GDPR 'integrity and confidentiality' principle, leaving only privacy operations to build.

Starting from Scratch

3-6 months: Establishing a compliant privacy program requires cross-functional coordination between legal, engineering, and product teams.

The Mistakes That Delay Most GDPR Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Relying on 'Legitimate Interest' for everything

Why it happens:

Companies try to avoid asking for consent by claiming legitimate interest, but DPAs often reject this for marketing or aggressive tracking.

How to avoid it:

Conduct and document a Legitimate Interest Assessment (LIA). If the data is for direct marketing or profiling, get explicit consent.

Ignoring sub-processors

Why it happens:

Companies secure their own app but ignore that their analytics tool or CRM processes EU data non-compliantly.

How to avoid it:

Maintain a public list of sub-processors. Sign a DPA with every single one. If they don't offer a DPA, you cannot use them.

Dark patterns in cookie banners

Why it happens:

Making the 'Accept All' button huge and green, while hiding the 'Reject' option behind three menus.

How to avoid it:

Consent must be freely given. 'Accept' and 'Reject' options must be equally prominent on the first layer of the banner.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

GDPR Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

GDPR Checklist

Assess your baseline control posture against GDPR criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about GDPR compliance and certification processes.