Knowledge Center / GDPR
European Union · EU / EEA

GDPR

The EU regulation governing the processing of personal data.

The General Data Protection Regulation is the EU’s comprehensive data-protection law. It governs processing of the personal data of individuals in the EU/EEA and applies extraterritorially to organisations outside the EU that target or monitor EU residents. This is a practical compliance guide, not legal advice.

The seven principles

PrincipleMeaning
Lawfulness, fairness & transparencyProcess on a lawful basis, fairly and openly
Purpose limitationCollect for specified, explicit, legitimate purposes
Data minimisationOnly what is adequate, relevant and necessary
AccuracyKeep personal data accurate and up to date
Storage limitationKeep no longer than necessary
Integrity & confidentialitySecure the data appropriately
AccountabilityBe able to demonstrate compliance

The six lawful bases

  • Consent — freely given, specific, informed and unambiguous.
  • Contract — necessary to perform a contract with the data subject.
  • Legal obligation — necessary to comply with the law.
  • Vital interests — to protect someone’s life.
  • Public task — for official functions in the public interest.
  • Legitimate interests — necessary for legitimate interests, balanced against the individual’s rights.

Data-subject rights

RightWhat it allows
Information & accessKnow what data is held and obtain a copy
RectificationCorrect inaccurate data
Erasure ("right to be forgotten")Have data deleted in defined circumstances
RestrictionLimit processing in certain cases
Data portabilityReceive/transfer data in a structured format
ObjectObject to processing (e.g., direct marketing)
Rights re automated decisionsNot be subject to solely automated decisions with legal effect

Key obligations

  • Maintain Records of Processing Activities (ROPA).
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
  • Appoint a Data Protection Officer (DPO) where required.
  • Implement data protection by design and by default.
  • Use compliant controller–processor agreements.
  • Notify supervisory authorities of breaches within 72 hours (and individuals where high risk).
  • Ensure a lawful mechanism for international data transfers (adequacy, SCCs, BCRs).

Compliance roadmap

  1. Data mapping — build the ROPA across systems, vendors and transfers.
  2. Establish lawful bases and update privacy notices and consent flows.
  3. Implement data-subject-rights and breach-response processes.
  4. Run DPIAs for high-risk processing; appoint a DPO if required.
  5. Govern processors and international transfers (SCCs/adequacy).
  6. Secure the data and evidence accountability; operate and improve.

Penalties

TierMaximum fine
Lower tier (e.g., records, DPO, security)€10 million or 2% of global annual turnover, whichever is higher
Upper tier (e.g., principles, rights, transfers)€20 million or 4% of global annual turnover, whichever is higher

GDPR vs DPDP Act (India)

Both are consent- and rights-based privacy laws with similar principles. A GDPR programme gives a strong head start on India’s DPDP Act, though DPDP has its own roles, penalty structure and India-specific requirements.

How CyberSigma helps
We run GDPR readiness — data mapping/ROPA, lawful-basis and consent design, DPIAs, data-subject-rights and breach processes, transfer mechanisms and DPO advisory — and align it with your DPDP obligations.

Frequently asked questions

Does GDPR apply to companies outside the EU?
Yes. If you offer goods/services to, or monitor, individuals in the EU/EEA, GDPR applies regardless of your location.
GDPR vs India’s DPDP Act — how do they compare?
Both are consent- and rights-based privacy laws with similar principles. DPDP is India-specific with its own penalty structure; a GDPR programme gives you a strong head start on DPDP.

Need help with GDPR?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.