In depth
The General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) is the European Union's comprehensive data-protection regime, in force since 25 May 2018. It applies to any organisation that processes personal data of individuals in the EU or EEA, regardless of where the organisation is established — the extraterritorial reach (Article 3) catches most globally distributed SaaS vendors. Enforcement is by national Data Protection Authorities (DPAs), coordinated through the European Data Protection Board, with fines up to €20 million or 4% of global annual turnover, whichever is higher.
Seven principles anchor the regime (Article 5): lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Data subjects have rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and rights regarding automated decision-making. Each right has defined response timelines (typically one month) and conditions under which it can be denied.
Article 32 (Security of processing) requires "appropriate technical and organisational measures" proportionate to the risk — pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore availability and access in a timely manner, and a process for regularly testing, assessing and evaluating effectiveness. Penetration testing is the standard interpretation of the "regular testing" obligation. Article 33 requires notification of personal-data breaches to the supervisory authority within 72 hours of becoming aware.
Data Protection Impact Assessments (Article 35) are mandatory for high-risk processing — large-scale profiling, processing of special-category data, systematic monitoring of public areas, use of new technologies. International transfers (Chapter V) require either an adequacy decision, Standard Contractual Clauses with supplementary measures (post-Schrems II), Binding Corporate Rules, or one of the narrow derogations in Article 49. The EU-US Data Privacy Framework (July 2023) restored a partial adequacy bridge for US transfers. Most modern privacy programmes treat GDPR as the global baseline and layer DPDP Act, CCPA and PIPEDA delta requirements on top. See DPDP Act 2023 checklist.
Seven principles anchor the regime (Article 5): lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Data subjects have rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, objection, and rights regarding automated decision-making. Each right has defined response timelines (typically one month) and conditions under which it can be denied.
Article 32 (Security of processing) requires "appropriate technical and organisational measures" proportionate to the risk — pseudonymisation and encryption of personal data, the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore availability and access in a timely manner, and a process for regularly testing, assessing and evaluating effectiveness. Penetration testing is the standard interpretation of the "regular testing" obligation. Article 33 requires notification of personal-data breaches to the supervisory authority within 72 hours of becoming aware.
Data Protection Impact Assessments (Article 35) are mandatory for high-risk processing — large-scale profiling, processing of special-category data, systematic monitoring of public areas, use of new technologies. International transfers (Chapter V) require either an adequacy decision, Standard Contractual Clauses with supplementary measures (post-Schrems II), Binding Corporate Rules, or one of the narrow derogations in Article 49. The EU-US Data Privacy Framework (July 2023) restored a partial adequacy bridge for US transfers. Most modern privacy programmes treat GDPR as the global baseline and layer DPDP Act, CCPA and PIPEDA delta requirements on top. See DPDP Act 2023 checklist.