GDPR General Data Protection Regulation.

The GDPR governs personal data in the EU and anywhere serving EU residents. Lawful basis, data-subject rights, accountability, breach notification, supervisory enforcement. The headline fines (20 million euros or 4% of worldwide turnover) get the press; most enforcement actions come through the supervisory dialogue, not the maximum.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyPrivacy & data protectionAll entries

The Cyber Academy take

The GDPR governs personal data in the EU and anywhere serving EU residents. Lawful basis, data-subject rights, accountability, breach notification, supervisory enforcement. The headline fines (20 million euros or 4% of worldwide turnover) get the press; most enforcement actions come through the supervisory dialogue, not the maximum.

The GDPR is often reduced in conversation to cookie banners and consent pop-ups, but that picture misses where its weight really sits. Consent is only one of several lawful bases for processing personal data, and for most business operations it is not even the one organisations rely on. Contract performance, legal obligation, and legitimate interests carry far more processing in practice. The deeper shift the GDPR introduced is accountability: it is not enough to comply, you have to be able to demonstrate compliance. That single principle is what turns data protection from a legal opinion into an operational discipline with records, assessments, and evidence behind every claim.

Because it is a regulation rather than a directive, the GDPR applies directly across the EU and the wider EEA without each country rewriting it into national law, which is why its core obligations look the same in France, Germany, and Ireland. Its reach also extends beyond Europe. An organisation established outside the EU still falls within scope when it offers goods or services to people in the Union or monitors their behaviour there. This territorial reach is why a company with no European office can still answer to a European supervisory authority.

Lawful basis, data-subject rights, and the duties that follow

Every act of processing personal data needs a lawful basis chosen before the processing starts, and the basis you pick shapes the rights people can exercise. Data subjects can ask to access their data, have it corrected or erased, restrict or object to processing, and in some cases receive it in a portable form. None of these rights is absolute; each comes with conditions and exemptions. Around the rights sit the controller and processor duties: data protection by design and by default, keeping a record of processing activities, securing the data with appropriate technical and organisational measures, and putting written contracts in place wherever a processor handles data on a controller's behalf.

Two duties deserve singling out because they drive day-to-day work. When processing is likely to result in a high risk to individuals, the controller runs a data protection impact assessment before going ahead, documenting the risk and how it is mitigated. And when a personal data breach occurs, the controller faces a notification duty toward the supervisory authority within a short, defined window, with affected individuals informed too when the risk to them is high. These are not paperwork rituals. They are the points where the accountability principle becomes a concrete, time-bound obligation.

Where the GDPR sits among neighbouring concepts

It helps to separate the GDPR from the roles and tools that orbit it. A DPO is a person or function some organisations must appoint to oversee compliance; a DPIA is the assessment process for high-risk processing; a ROPA is the inventory of processing activities; standard contractual clauses are one mechanism for moving data outside the EU lawfully. The GDPR is the regulation that requires or enables each of these. National supervisory authorities such as the CNIL in France enforce it and issue guidance, and the European Data Protection Board coordinates them so that a single interpretation holds across borders.

As the shortDefinition notes, the headline figures of up to 20 million euros or 4 percent of worldwide annual turnover dominate the press coverage, yet most enforcement runs through supervisory dialogue rather than maximum fines. Authorities investigate, ask questions, require remediation, and often resolve matters through corrective measures short of the ceiling. For practitioners the practical lesson is that demonstrable good faith and an evidenced compliance posture change how that dialogue goes. The organisations that fare worst are usually the ones that cannot show what they were doing with the data, not the ones that made an honest, documented judgment call.

How practitioners operationalise it

Turning the regulation into routine work usually starts with mapping. You build and maintain a record of processing activities so you know what data you hold, why, on what lawful basis, and where it flows. From there teams embed privacy by design into new projects, run DPIAs where the risk is high, tighten processor contracts, and rehearse the breach-notification path so the clock does not catch them unprepared. Many anchor this in a management system rather than a binder of policies, which is where standards like ISO 27701 and the supporting guidance from supervisory authorities earn their place. The goal is steady-state evidence: at any moment you can show a lawful basis, a record, and a control for the personal data you process.

Frequently asked questions

01Does the GDPR apply to companies outside the EU?

Yes, it can. The regulation reaches organisations established outside the EU when they offer goods or services to people in the Union or monitor their behaviour there. Having no European office does not put you out of scope; the deciding factor is whether you target or track individuals in the EU.

02Is consent always required to process personal data?

No. Consent is only one of several lawful bases. Many operations rely instead on contract performance, a legal obligation, or legitimate interests. You must choose and document an appropriate basis before processing, but it is frequently not consent.

03What is the difference between a controller and a processor?

A controller decides why and how personal data is processed and carries the primary accountability. A processor handles data on the controller's behalf under a written contract and within the controller's instructions. The two roles carry different but overlapping duties under the regulation.

04When does a breach have to be reported?

A controller must notify the competent supervisory authority of a personal data breach within the short window the regulation sets, unless the breach is unlikely to result in a risk to individuals. Where the risk to affected people is high, those individuals must be informed as well.

05How does the GDPR relate to ISO 27701?

The GDPR sets the legal obligations; ISO/IEC 27701 gives you a certifiable privacy information management system to meet them in a structured, auditable way. Holding the certification does not by itself make you legally compliant, but it institutionalises the records, assessments, and controls the regulation expects.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.