The General Data Protection Regulation is the EU’s comprehensive data-protection law. It governs processing of the personal data of individuals in the EU/EEA and applies extraterritorially to organisations outside the EU that target or monitor EU residents. This is a practical compliance guide, not legal advice.
The seven principles
| Principle | Meaning |
|---|---|
| Lawfulness, fairness & transparency | Process on a lawful basis, fairly and openly |
| Purpose limitation | Collect for specified, explicit, legitimate purposes |
| Data minimisation | Only what is adequate, relevant and necessary |
| Accuracy | Keep personal data accurate and up to date |
| Storage limitation | Keep no longer than necessary |
| Integrity & confidentiality | Secure the data appropriately |
| Accountability | Be able to demonstrate compliance |
The six lawful bases
- Consent — freely given, specific, informed and unambiguous.
- Contract — necessary to perform a contract with the data subject.
- Legal obligation — necessary to comply with the law.
- Vital interests — to protect someone’s life.
- Public task — for official functions in the public interest.
- Legitimate interests — necessary for legitimate interests, balanced against the individual’s rights.
Data-subject rights
| Right | What it allows |
|---|---|
| Information & access | Know what data is held and obtain a copy |
| Rectification | Correct inaccurate data |
| Erasure ("right to be forgotten") | Have data deleted in defined circumstances |
| Restriction | Limit processing in certain cases |
| Data portability | Receive/transfer data in a structured format |
| Object | Object to processing (e.g., direct marketing) |
| Rights re automated decisions | Not be subject to solely automated decisions with legal effect |
Key obligations
- Maintain Records of Processing Activities (ROPA).
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
- Appoint a Data Protection Officer (DPO) where required.
- Implement data protection by design and by default.
- Use compliant controller–processor agreements.
- Notify supervisory authorities of breaches within 72 hours (and individuals where high risk).
- Ensure a lawful mechanism for international data transfers (adequacy, SCCs, BCRs).
Compliance roadmap
- Data mapping — build the ROPA across systems, vendors and transfers.
- Establish lawful bases and update privacy notices and consent flows.
- Implement data-subject-rights and breach-response processes.
- Run DPIAs for high-risk processing; appoint a DPO if required.
- Govern processors and international transfers (SCCs/adequacy).
- Secure the data and evidence accountability; operate and improve.
Penalties
| Tier | Maximum fine |
|---|---|
| Lower tier (e.g., records, DPO, security) | €10 million or 2% of global annual turnover, whichever is higher |
| Upper tier (e.g., principles, rights, transfers) | €20 million or 4% of global annual turnover, whichever is higher |
GDPR vs DPDP Act (India)
Both are consent- and rights-based privacy laws with similar principles. A GDPR programme gives a strong head start on India’s DPDP Act, though DPDP has its own roles, penalty structure and India-specific requirements.
How CyberSigma helps
We run GDPR readiness — data mapping/ROPA, lawful-basis and consent design, DPIAs, data-subject-rights and breach processes, transfer mechanisms and DPO advisory — and align it with your DPDP obligations.
Frequently asked questions
Does GDPR apply to companies outside the EU?
Yes. If you offer goods/services to, or monitor, individuals in the EU/EEA, GDPR applies regardless of your location.
GDPR vs India’s DPDP Act — how do they compare?
Both are consent- and rights-based privacy laws with similar principles. DPDP is India-specific with its own penalty structure; a GDPR programme gives you a strong head start on DPDP.
Official documents
CyberSigma resources
Need help with GDPR?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
