GDPR Compliance Requirements for Businesses

Summary

Any organization that processes personal data of EU/EEA residents -- regardless of where it is based -- must comply with the GDPR: establish a lawful basis, honor data subject rights within one month, report breaches within 72 hours, and appoint a DPO where required. Penalties reach EUR 20 million or 4% of global turnover; cumulative fines now exceed EUR 7.1 billion. The Commission's Digital Omnibus package (proposed November 2025, still in trilogue mid-2026) may narrow the personal-data definition and ease breach/cookie rules, but current obligations remain binding. [src1, src6, src7]

Rule

Businesses processing personal data of EU/EEA residents must comply with the General Data Protection Regulation (GDPR) regardless of where the business is located. Compliance requires establishing a lawful basis for processing (consent, contract, legitimate interest, legal obligation, vital interest, or public task), appointing a Data Protection Officer where required, implementing data protection by design and default, and maintaining records of processing activities. Organizations must respond to data subject rights requests (access, rectification, erasure, portability, objection) within one month. [src1, src2]

Evidence

Since enforcement began in May 2018 through January 2026, EU Data Protection Authorities have issued over EUR 7.1 billion in cumulative GDPR fines (up from EUR 4.5 billion a year earlier), of which Ireland's Data Protection Commission alone accounts for EUR 4.04 billion; approximately EUR 1.2 billion was issued in 2025, matching 2024. Reported data breaches now average 443 notifications per day across the EU/EEA -- up 22% year over year and the first time daily notifications have exceeded 400. Tier 1 violations (breaching core principles) carry penalties up to EUR 20 million or 4% of global annual turnover, whichever is higher; Tier 2 violations (specific obligations like processor duties) carry penalties up to EUR 10 million or 2% of turnover. Breaches must be reported to the supervisory authority within 72 hours and to affected individuals without undue delay if the breach poses high risk. The European Commission's Digital Omnibus package, published 19 November 2025 and still in trilogue negotiation as of May 2026, proposes to narrow the personal-data definition, raise the breach-notification threshold and extend its deadline, and move cookie-consent rules into the GDPR; the EDPB and EDPS issued Joint Opinion 2/2026 on 11 February 2026 supporting the cookie/breach simplifications but strongly opposing the narrower personal-data definition. [src1, src6, src7]

Key Properties

• Maximum penalty (Tier 1): EUR 20 million or 4% of global annual turnover, whichever is higher
• Maximum penalty (Tier 2): EUR 10 million or 2% of global annual turnover
• Breach notification deadline: 72 hours to supervisory authority; without undue delay to individuals if high risk
• Data subject request response time: 1 month (extendable by 2 months for complex requests)
• Enforcement body: National DPAs in each EU/EEA member state, coordinated via the EDPB
• Cumulative fines issued (2018-2026): Over EUR 7.1 billion across the EU/EEA (Ireland's DPC alone: EUR 4.04 billion)

Conditions

• Applies when: Any organization worldwide that processes personal data of individuals located in the EU/EEA, offers goods or services to them, or monitors their behavior -- no minimum size threshold exists
• Does NOT apply when: Processing is purely for personal or household activities, or data is truly anonymized (not pseudonymized) and cannot be re-identified
• Confidence degrades when: National implementations diverge (each EU member state has supplementary legislation), proposed 2025-2026 amendments change core obligations, or post-Brexit UK GDPR further diverges from EU GDPR

Constraints

• Jurisdiction: applies only to processing of EU/EEA resident data or monitoring of EU/EEA individuals [src1]
• Temporal: the Digital Omnibus package (proposed 19 Nov 2025, still in trilogue mid-2026) may narrow the personal-data definition, raise the breach-notification threshold, and move cookie consent into the GDPR -- core obligations are in flux [src6, src7]
• Entity threshold: no minimum size -- even sole proprietors and micro-enterprises must comply (though proposed amendments may ease record-keeping for SMEs) [src5]
• Prerequisite: organizations must first classify themselves as controller or processor, as obligations differ significantly [src1]
• Interaction: UK GDPR (post-Brexit) is a separate regime; Switzerland has its own revFADP; EEA countries follow EU GDPR via the EEA Agreement [src3]

Rationale

The GDPR replaced the 1995 Data Protection Directive to create a unified framework across the EU, eliminating the patchwork of 28 different national laws. Its extraterritorial scope ensures that EU residents' data is protected regardless of where it is processed, and the severe penalty structure (up to 4% of global turnover) creates a credible deterrent that has driven widespread adoption of privacy-by-design practices even among non-EU companies. [src1, src3]

Framework Selection Decision Tree

START -- User needs privacy/data protection compliance guidance
|-- Which jurisdiction?
|   |-- EU/EEA residents --> GDPR Summary <-- YOU ARE HERE
|   |-- California residents --> CCPA/CPRA Summary
|   |-- Japan residents --> APPI Japan Summary
|   |-- Brazil residents --> LGPD Brazil Summary
|   +-- Multiple jurisdictions --> Cross-Border Data Transfers unit
|-- Does the organization process personal data of EU/EEA individuals?
|   |-- YES --> Apply GDPR: lawful basis, DPO, DPIA, breach notification
|   +-- NO --> GDPR does not apply; check other jurisdiction rules
+-- Is there an existing privacy program?
    |-- YES --> Audit against GDPR Articles 5-49
    +-- NO --> Start with data mapping and processing records (Article 30)

Decision Logic

If the organization has no establishment in the EU/EEA but offers goods/services to or monitors EU/EEA individuals

--> GDPR still applies extraterritorially under Article 3(2); appoint an EU representative under Article 27 unless processing is occasional and low-risk. [src1]

If you are choosing a lawful basis for behavioral advertising or AI model training

--> Do not rely on a bare "legitimate interest" claim; run a documented Legitimate Interest Assessment and treat consent as the safer basis -- Meta's EUR 390 million fine turned on advertising not being "necessary." [src1, src2]

If a personal-data breach is detected

--> Notify the lead supervisory authority within 72 hours of becoming aware, and notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms. [src1]

If the organization conducts large-scale systematic monitoring or processes special-category data at scale

--> A Data Protection Officer is mandatory under Article 37; appointing one voluntarily otherwise is a recognized best practice. [src1, src2]

If you are designing a 2026 cookie/consent banner

--> Give "Reject All" equal prominence to "Accept All," fire no non-essential trackers before affirmative consent, and keep timestamped consent logs; plan for machine-readable consent signals that the Digital Omnibus would standardize. [src2, src6]

If the data subjects are in the UK, California, Brazil, or Japan rather than the EU/EEA

--> GDPR does not govern; route to the UK GDPR, CCPA/CPRA, LGPD, or APPI rule respectively. [src3]

If you are scoping compliance against the proposed Digital Omnibus changes

--> Treat current GDPR obligations as binding and the Omnibus as not-yet-law (still in trilogue as of May 2026); do not relax breach-notification or personal-data handling on the basis of proposed text. [src6, src7]

Application Checklist

Step 1: Determine applicability and role

• Inputs needed: Organization location, whether it processes EU/EEA resident data, whether it offers goods/services to EU/EEA, or monitors EU/EEA behavior
• Output: Confirmed GDPR applicability and classification as controller, processor, or both
• Constraint: If no EU/EEA nexus exists, GDPR does not apply -- do not over-apply [src1]

Step 2: Establish lawful bases for all processing activities

• Inputs needed: Complete data inventory, purposes of processing, data subject categories
• Output: Documented lawful basis for each processing activity
• Constraint: Consent must be freely given, specific, informed, and unambiguous; pre-ticked boxes and bundled consent are invalid [src2]

Step 3: Implement technical and organizational measures

• Inputs needed: Risk assessment results, processing activity records, data flow maps
• Output: Data protection by design and default controls, DPO appointment (if required), DPIA for high-risk processing
• Constraint: DPO mandatory for public authorities, large-scale monitoring, or large-scale processing of special categories [src1]

Step 4: Establish data subject rights and breach response processes

• Inputs needed: Communication channels, response workflows, incident detection systems
• Output: Documented procedures for handling rights requests within 1 month; breach notification within 72 hours
• Constraint: Escalate to legal counsel if breach involves special category data or large-scale exposure [src2]

Anti-Patterns

Wrong: Using "legitimate interest" as a catch-all without a Legitimate Interest Assessment

Organizations default to legitimate interest for all non-consent processing without documenting the three-part test. Meta was fined EUR 390 million for claiming behavioral advertising was "necessary" to provide social media services. [src2]

Correct: Conduct a documented LIA for each processing activity

Each legitimate interest claim must pass the three-part test: (1) identify the legitimate interest, (2) show processing is necessary, (3) balance against individual rights. Document and revisit when processing changes. [src1]

Wrong: Cookie consent dark patterns with pre-loaded trackers

Making "Reject All" harder to find than "Accept All," using pre-ticked boxes, or firing cookies before consent. EU DPAs issue per-session fines for each affected user. [src3]

Correct: Equal-friction consent with no pre-loading

Present Accept and Reject options with equal prominence on the first layer. No cookies fire before affirmative consent. Maintain timestamped consent logs. [src2]

Wrong: Deletion requests applied only to production databases

Shadow IT, exported CSVs, test environments, and backups retain personal data indefinitely after erasure requests, creating ongoing Article 17 violations. [src4]

Correct: Include all data stores in erasure workflows

Map all locations where personal data exists -- production, backups, analytics, exports, vendor systems. Implement systematic erasure with documented exception processes for legal holds. [src1]

Counter-Arguments

• SMEs face disproportionate compliance costs relative to their risk profile; the Commission's Digital Omnibus acknowledges this by raising the breach-notification threshold and easing record-keeping. [src6]
• The "legitimate interest" basis is interpreted inconsistently across member states, creating legal uncertainty for businesses operating in multiple EU jurisdictions. [src4]
• Consent fatigue from cookie banners may undermine the regulation's intent; the Digital Omnibus proposes machine-readable consent signals to simplify the mechanism, though the EDPB warns the broader package could lower the level of protection. [src6]

Common Misconceptions

Misconception: GDPR only applies to companies headquartered in the EU.
Reality: GDPR applies to any organization worldwide that processes EU/EEA resident data, offers them goods/services, or monitors their behavior (Article 3). [src1]

Misconception: Pseudonymized data is exempt from GDPR.
Reality: Pseudonymized data remains personal data under GDPR because it can be re-identified. Only fully anonymized data (irreversible) falls outside scope. [src1]

Misconception: A DPO is required for every organization.
Reality: A DPO is mandatory only for public authorities, organizations conducting large-scale systematic monitoring, or those processing special category data at scale. [src2]

Misconception: GDPR compliance is a one-time project.
Reality: GDPR requires ongoing compliance: regular audits, updated DPIAs, continuous training, and monitoring of regulatory changes. The 2026 EDPB coordinated action focuses on transparency (Articles 12-14). [src3]

Comparison with Similar Rules

When This Matters

Fetch this when a user asks about data privacy requirements for businesses operating in the EU, processing EU/EEA resident data, or offering goods/services to individuals in EU/EEA member states.