← Compliance Frameworks

Compliance Guide · EU & UK

GDPR Compliance Guide

GDPR is the world’s most demanding data-protection regulation — and almost every modern business handles EU or UK personal data. Here is everything you need: the 7 principles, 8 rights, lawful bases, DPAs, transfers, breaches, and the fastest path to compliance.

  • Regulation: EU 2016/679 (GDPR) · UK GDPR + DPA 2018
  • Effective: 25 May 2018 (EU) · 1 January 2021 (UK separate)
  • Coverage: Any controller/processor handling EU/UK personal data
  • Validity: Continuous — ongoing accountability, no certification
Book a Free Consultation Call Pair with ISO 27001 →
GDPR compliance framework for the EU and UK — lawful basis, data subject rights, DPO and breach notification
7 Article 5 data-protection principles
8 Data subject rights you must operationalise
72 hrs To notify the supervisory authority of a breach
€20M Max fine — or 4% of global annual turnover

Who needs to comply with GDPR?

GDPR has the broadest territorial scope of any data-protection law. You are in scope if any of the following apply:

  • Your organisation is established in the EU or EEA, regardless of where you process personal data
  • You offer goods or services to individuals in the EU/EEA (paid or free) — explicit targeting matters: a checkout in EUR, an EU language, a "ships to Europe" page
  • You monitor the behaviour of EU individuals — analytics, advertising tracking, behaviour profiling
  • You are a processor handling personal data on behalf of any of the above (most SaaS vendors)

The UK GDPR applies almost identically to UK residents post-Brexit. Most multinational businesses operate a single GDPR programme that covers both — the practical differences are minor and largely about which supervisory authority you deal with (an EU national DPA vs the UK ICO).

The 7 GDPR principles (Article 5)

1

Lawfulness, fairness, transparency

Process data on a documented lawful basis. Tell people clearly what you're doing.

2

Purpose limitation

Collect for specified, explicit, legitimate purposes. No silent repurposing.

3

Data minimisation

Adequate, relevant, limited to what is necessary. If you don't need it, don't collect it.

4

Accuracy

Keep personal data accurate; correct or erase inaccurate data without delay.

5

Storage limitation

Retain only as long as necessary. Defined retention schedules required.

6

Integrity and confidentiality

Article 32 security: encryption, MFA, access controls, resilience, regular testing.

7

Accountability

The controller must demonstrate compliance with all of the above. Documentation is the proof.

The 8 data subject rights

  1. Right to be informed — clear privacy notice at the point of collection (Art. 13/14)
  2. Right of access (DSAR) — confirm what data you hold and provide a copy (Art. 15)
  3. Right to rectification — correct inaccurate or incomplete data (Art. 16)
  4. Right to erasure / "right to be forgotten" (Art. 17) — limited to defined grounds
  5. Right to restrict processing (Art. 18)
  6. Right to data portability — structured, common-format export (Art. 20)
  7. Right to object — including the absolute right to object to direct marketing (Art. 21)
  8. Rights related to automated decision-making and profiling (Art. 22)

Most requests must be handled within one calendar month, free of charge (with limited exceptions for excessive or repetitive requests). You need a documented DSAR intake, identification verification, search-and-redaction workflow, and response template.

Lawful bases for processing (Article 6)

Every processing activity needs a documented lawful basis. The six options:

  • Consent — must be freely given, specific, informed, unambiguous, with a positive opt-in. Pre-ticked boxes don't count.
  • Contract — necessary for the performance of a contract with the data subject (or pre-contractual steps)
  • Legal obligation — required by EU/Member State law
  • Vital interests — narrow: protecting life
  • Public task — for public authorities and certain official functions
  • Legitimate interests — your legitimate interests, balanced against the rights and freedoms of the data subject (Legitimate Interests Assessment / LIA required)

For special category data (race, health, biometric, sexual orientation, religion, political opinion, genetic, trade-union membership), Article 9 imposes additional conditions on top of the Article 6 basis.

DPIAs, DPOs and DPAs

Data Protection Impact Assessment (DPIA)

Article 35 requires a DPIA before any processing likely to result in a high risk to individuals. Mandatory triggers include systematic profiling with legal/significant effects, large-scale processing of special category data, and large-scale public monitoring. Even where not strictly required, DPIAs are best practice for any new product or processing change.

Data Protection Officer (DPO)

Article 37 requires a DPO if you are a public authority, your core activities involve large-scale regular and systematic monitoring, or your core activities involve large-scale special category data. The DPO must be independent, expert, report to top management, and be reachable by data subjects and the supervisory authority.

Data Processing Agreement (DPA)

Article 28 requires a written DPA between a controller and any processor handling personal data on its behalf. The DPA must address eight specific commitments — most major SaaS vendors offer a standard GDPR DPA (often as an addendum or click-through) you can sign on import.

International transfers (post-Schrems II)

Transferring EU/EEA personal data outside the EEA requires a valid Article 46 mechanism. Since the Schrems II ruling (2020), you must also assess whether the destination jurisdiction provides equivalent protection in practice — a Transfer Impact Assessment (TIA).

  • Adequacy decisions — UK, Switzerland, Japan, South Korea, New Zealand, Argentina, Canada (commercial), and the EU–US Data Privacy Framework (for participating US importers)
  • Standard Contractual Clauses (SCCs) — 2021 modular SCCs are the most common path
  • Binding Corporate Rules (BCRs) — for intragroup transfers
  • Article 49 derogations — narrow, exceptional, not for routine transfers

Step-by-step GDPR compliance roadmap

GDPR compliance 4-step roadmap — data mapping, lawful basis review, controls and DPO, breach response and DSR readiness

Phase 1 Map (Weeks 1–3)

  • Build the Records of Processing Activities (RoPA) — Article 30 register
  • Identify lawful basis for every activity
  • Map all data flows including third-party recipients and international transfers

Phase 2 Notice & Bases (Weeks 3–6)

  • Update privacy notice with Article 13/14 disclosures
  • Implement consent mechanisms (cookie banner, marketing preferences)
  • Document Legitimate Interests Assessments where used

Phase 3 Contracts & Transfers (Weeks 4–10)

  • Sign DPAs with every processor
  • Implement SCCs + Transfer Impact Assessments for non-EU transfers
  • Update internal data sharing arrangements (controller-to-controller, joint controllers)

Phase 4 Operate (Ongoing)

  • DSAR intake and 30-day response workflow
  • 72-hour breach notification process
  • Article 32 security controls (encryption, MFA, monitoring, testing)
  • DPIAs for new products / significant changes

Real fines & enforcement

  • Meta — €1.2B (2023) — unlawful EU–US transfers (Irish DPC)
  • Amazon — €746M (2021) — advertising consent failures (Luxembourg CNPD)
  • Instagram — €405M (2022) — children's data exposure (Irish DPC)
  • TikTok — €345M (2023) — children's data processing
  • British Airways — £20M (2020) — security failures leading to a 400K-record breach

Smaller, more common cases routinely run from €5K to €1M for SMEs — most often for failure to maintain a RoPA, missing or inadequate privacy notices, no lawful basis for marketing, or missing DPAs with vendors.

How Security Pulse helps with GDPR

RunWay — Get compliant

  • RoPA template and lawful basis registry
  • DPIA + LIA templates and workflow
  • DPA library + Schrems II Transfer Impact Assessment
  • Privacy notice generator and consent management guidance
  • DSAR intake and 30-day response runbook

Autopilot — Stay compliant

  • Article 32 controls — encryption, MFA, access governance
  • Endpoint protection on every device touching EU data
  • 72-hour breach detection and notification path
  • Vendor monitoring with DPA tracking
  • Evidence vault — supervisory-authority-ready exports

GDPR vs PDPA vs CCPA

GDPR (EU/UK)PDPA (Singapore)CCPA / CPRA (California)
ScopeEU/UK personal data, global reachSingapore personal dataCalifornia consumer data, threshold-based
Max fine€20M or 4% global turnoverS$1M or 10% local turnoverUp to $7,500 per intentional violation
Breach window72 hours3 calendar days"Without unreasonable delay"
DPO requiredConditionalYes — every orgNot required
Right to be forgottenYesNoRight to delete (limited)
ApproachRights-based, principles-drivenPrinciples + consent-basedConsumer-rights-based

Common questions about GDPR

Who has to comply with GDPR?

Any organisation — anywhere in the world — that processes personal data of individuals in the EU or EEA. This includes (a) any organisation established in the EU/EEA processing personal data, regardless of where the processing happens; and (b) any organisation outside the EU that offers goods or services to EU/EEA individuals or monitors their behaviour. The UK GDPR (post-Brexit) operates almost identically for UK residents.

What are the 7 GDPR principles?

Article 5 sets out the foundational principles: (1) Lawfulness, fairness, and transparency; (2) Purpose limitation; (3) Data minimisation; (4) Accuracy; (5) Storage limitation; (6) Integrity and confidentiality (security); (7) Accountability — the controller must demonstrate compliance with all of the above. Every other GDPR requirement is essentially an operationalisation of these principles.

What are the 8 data subject rights?

Right to be informed, right of access (DSAR), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. You must respond to most requests within one calendar month (extendable to three for complex cases) and have a documented intake/processing workflow.

What are the 6 lawful bases for processing?

Article 6: (1) Consent — freely given, specific, informed, unambiguous; (2) Contract — necessary for performance of a contract with the data subject; (3) Legal obligation; (4) Vital interests — to protect someone's life; (5) Public task; (6) Legitimate interests — balanced against the rights of the data subject. You must identify and document the lawful basis for every processing activity in your RoPA.

How much can the fines really be?

GDPR has two tiers of administrative fines. Tier 1 (Art. 83(4) — admin failures like RoPA, DPO, security): up to €10M or 2% of global annual turnover, whichever is higher. Tier 2 (Art. 83(5) — breaches of principles, data subject rights, lawful basis, transfer rules): up to €20M or 4% of global annual turnover. The largest fines to date: Meta €1.2B (2023), Amazon €746M (2021), Instagram €405M (2022), TikTok €345M (2023).

When do we have to notify a data breach?

Personal data breaches must be reported to the lead supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware. If the risk of harm to individuals is high, you must also notify affected individuals without undue delay. The 72-hour clock does not require complete information at first notification — you can supplement details as the investigation continues. Late notification is itself a violation.

When do I need to appoint a DPO?

A Data Protection Officer is mandatory in three scenarios: (1) you are a public authority; (2) your core activities involve large-scale, regular and systematic monitoring of individuals; or (3) your core activities involve large-scale processing of special category data (health, biometrics, etc.) or criminal data. Many organisations not strictly required appoint one anyway because it strengthens compliance posture. The DPO must be independent, expert, and report to top management.

What is a Data Processing Agreement (DPA) and when do I need one?

Article 28 requires a written contract whenever a controller engages a processor (e.g. you use AWS, Salesforce, Stripe, an analytics tool, or a help-desk vendor). The DPA must specify subject matter, duration, nature/purpose of processing, types of personal data, categories of data subjects, and the controller's rights and obligations. It must include the eight Article 28(3) commitments — confidentiality, security, sub-processor approval, assistance with data subject rights, breach notification, audit rights, and so on.

How do international data transfers work after Schrems II?

Transfers of personal data outside the EU/EEA require a valid mechanism: (a) an adequacy decision (e.g. UK, Switzerland, Japan, the EU–US Data Privacy Framework for certified US importers); (b) Standard Contractual Clauses (2021 SCCs); (c) Binding Corporate Rules; or (d) a derogation under Article 49. Since Schrems II, you must also conduct a Transfer Impact Assessment (TIA) to evaluate whether the destination jurisdiction provides equivalent protection in practice — and apply supplementary measures (e.g. encryption, pseudonymisation) if needed.

How does Security Pulse help with GDPR?

Security Pulse maps to GDPR end-to-end. RunWay handles the foundational programme: RoPA, lawful basis registry, DPIA templates, DSAR workflow, DPA library, transfer impact assessments. Autopilot operates the security obligations of Article 32 continuously: encryption, MFA, access governance, breach detection, audit logging, vendor monitoring, and an evidence vault that produces supervisory-authority-ready reports on demand.

GDPR-ready in months, not years.

Book a Free Consultation Call