GDPR Explained: Who It Affects, Requirements & Penalties

The General Data Protection Regulation (GDPR) is the European Union’s landmark privacy law. It governs how organizations collect, store, process, and share personal data of individuals in the EU. Since its enforcement in May 2018, it has fundamentally changed how businesses worldwide handle personal information.

If your organization touches data from anyone in the EU — whether you’re based in Berlin, Boston, or Bangkok — GDPR applies to you.

Who Does GDPR Affect?

Short answer: almost everyone. Unlike most regulations that target specific industries or company sizes, GDPR has no minimum threshold. If you process personal data of EU residents, you’re in scope.

Specifically, GDPR applies to:

• Any organization based in the EU, regardless of size — from a one-person freelancer to a multinational corporation
• Any organization outside the EU that offers goods or services to EU residents, or monitors their behavior (e.g., website analytics, ad tracking)
• Data processors — if you handle data on behalf of another company (cloud providers, SaaS platforms, payroll services), you have direct obligations under GDPR
• All sectors — healthcare, finance, education, retail, technology, manufacturing, public administration

Common Misconception

“We’re a small company, GDPR doesn’t apply to us.” Wrong. A dental clinic with 200 patients, a local gym with a membership database, a freelance web developer who installs analytics on client websites — all are in scope. GDPR has no revenue threshold, no employee minimum, no data volume floor.

Key Requirements

GDPR establishes seven core principles and a series of specific obligations:

1. Lawful Basis for Processing

You need a legitimate reason to process personal data. The six lawful bases are: consent, contract, legal obligation, vital interests, public task, or legitimate interest. “We want the data” is not a lawful basis.

2. Data Protection Officer (DPO)

You must appoint a DPO if you’re a public authority, if your core activities involve large-scale monitoring of individuals, or if you process special categories of data (health, biometrics, criminal records) at scale.

3. Data Protection Impact Assessment (DPIA)

Before starting high-risk processing activities, you must assess the risks to individuals and document how you’ll mitigate them. This includes automated decision-making, large-scale processing of sensitive data, and systematic monitoring of public areas.

4. Breach Notification

If a personal data breach occurs, you must notify your supervisory authority within 72 hours of becoming aware. If the breach poses a high risk to individuals, you must also notify them directly. No exceptions, no excuses.

5. Data Subject Rights

Individuals have powerful rights over their data:

Right	What It Means
Access	People can request a copy of all data you hold about them
Rectification	They can ask you to correct inaccurate data
Erasure	The “right to be forgotten” — they can ask you to delete their data
Portability	They can request their data in a machine-readable format to take elsewhere
Restriction	They can ask you to stop processing their data while a dispute is resolved
Objection	They can object to processing based on legitimate interest or direct marketing

6. Records of Processing Activities

You must maintain detailed records of what personal data you process, why, how, and for how long. This is your compliance backbone — regulators will ask for it first.

7. Privacy by Design and by Default

Data protection must be built into your systems and processes from the start, not bolted on as an afterthought. Default settings must be the most privacy-friendly option.

Why GDPR Matters Beyond Compliance

GDPR is not just about avoiding fines. It’s becoming a competitive advantage:

• Enterprise contracts: Large companies increasingly require GDPR compliance from their vendors. No compliance evidence? No contract.
• Consumer trust: 79% of Europeans say they are concerned about how their data is used. Demonstrating GDPR compliance builds trust.
• Global standard: GDPR has inspired similar laws worldwide (Brazil’s LGPD, California’s CCPA, Japan’s APPI). Being GDPR-compliant often means you’re halfway compliant with other frameworks.
• Reduced risk: Proper data governance reduces the attack surface and the impact of breaches. GDPR compliance is good security hygiene.

What Happens If You Don’t Comply

The Fines

GDPR fines operate on two tiers:

• Lower tier: Up to €10 million or 2% of global annual turnover (whichever is higher) — for violations related to technical measures, record-keeping, and DPO obligations
• Upper tier: Up to €20 million or 4% of global annual turnover (whichever is higher) — for violations of core principles, lawful basis, data subject rights, and international transfers

A Scenario That Keeps Compliance Officers Awake

This is an illustrative scenario based on real enforcement patterns.

A mid-size health clinic stores patient records on a shared drive with no encryption. An employee’s laptop — containing a local copy of 50,000 patient records — gets stolen from a car overnight. Medical histories, prescriptions, mental health notes, and insurance details end up on the dark web within days.

The clinic takes four days to realize the laptop is missing. They don’t notify the supervisory authority within 72 hours because “they’re still investigating.” They never notify patients because “they don’t want to cause panic.”

The consequences cascade:

• A supervisory authority investigation reveals no encryption, no access controls, no data protection impact assessment, and no breach notification procedure
• Fine: €4 million (4% of turnover)
• A class-action lawsuit from affected patients
• Media coverage that destroys the clinic’s reputation
• Patients switch to competitors who can demonstrate proper data protection
• The IT manager’s defense: “I didn’t think it would happen to us”

Real Enforcement Trends

Since 2018, EU data protection authorities have issued over €4 billion in GDPR fines. Notable cases include:

• Meta (Ireland): €1.2 billion for unlawful data transfers to the US
• Amazon (Luxembourg): €746 million for non-compliant advertising targeting
• TikTok (Ireland): €345 million for children’s data processing failures
• H&M (Germany): €35 million for excessive employee surveillance

Small and medium businesses are not immune. Fines of €10,000–€500,000 are regularly issued to SMEs for basic failures: missing consent, inadequate breach notification, or failing to respond to data subject requests.

How to Get Started

If you’re starting from scratch, here are the first steps:

1. Map Your Data

Before you can protect data, you need to know what you have. Document:

• What personal data do you collect?
• Why do you collect it?
• Where is it stored?
• Who has access?
• How long do you keep it?

2. Establish Your Lawful Basis

For each processing activity, identify your lawful basis. If you’re relying on consent, make sure it meets GDPR standards: freely given, specific, informed, and unambiguous. Pre-ticked boxes and buried consent in terms of service don’t count.

3. Set Up Breach Response

Create a breach response plan before you need one. Define who gets notified, how you assess severity, and how you’ll contact your supervisory authority within 72 hours. Practice it.

4. Respond to Data Subject Requests

Build a process for handling access, deletion, and portability requests. You have 30 days to respond. Automate where possible — manual processes break down at scale.

5. Assess Your Risk

Use a compliance assessment tool to identify gaps across all GDPR requirements. Prioritize the highest-risk areas first: breach notification, lawful basis, and data subject rights.

---

GDPR compliance is a journey, not a destination. Start with the basics, build systematically, and improve continuously. The cost of compliance is always lower than the cost of a breach.