GDPR

General Data Protection Regulation (EU 2016/679)

RegulationEU

The General Data Protection Regulation establishes comprehensive data protection rules for all organisations processing personal data of EU residents. With extraterritorial scope, it applies globally to any entity offering goods or services to EU residents or monitoring their behaviour. GDPR enforces data protection through a two-tier penalty structure reaching EUR 20 million or 4% of global turnover.

Articles

Chapters

€20M / 4%

Max Penalty

May 2018

Enforced Since

Who Needs to Comply

Controllers & Processors

Any organisation processing personal data of EU residents
Applies regardless of where the organisation is established (Art. 3)
Both data controllers and data processors
Organisations offering goods/services to EU residents
Organisations monitoring behaviour of EU residents

Mandatory DPO Appointment

Public authorities and bodies
Organisations whose core activities require regular, systematic monitoring at scale
Organisations processing special categories of data at scale

Key Compliance Areas

Art. 5

Processing Principles

Seven principles: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Art. 6-7

Lawful Basis & Consent

Six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). Consent must be freely given, specific, informed, and unambiguous.

Art. 12-23

Data Subject Rights

Rights to access, rectification, erasure (‘right to be forgotten’), restriction, data portability, objection, and protection against automated decision-making. Response within 1 month.

Art. 33-34

Breach Notification

Notify supervisory authority within 72 hours of becoming aware of a breach. Notify data subjects without undue delay if breach is likely to result in high risk to their rights.

Art. 35

Data Protection Impact Assessment

Required prior to processing that is likely to result in high risk: systematic profiling, large-scale special categories, or systematic monitoring of public areas.

Art. 37-39

Data Protection Officer

Mandatory DPO for public authorities, organisations with large-scale monitoring, or large-scale processing of special categories. Reports directly to highest management.

Ch. V (Art. 44-49)

International Transfers

Transfers to third countries require adequacy decisions, appropriate safeguards (SCCs, BCRs), or specific derogations. Ensures continued protection outside the EU.

Art. 83

Penalty Structure

Two tiers: up to EUR 10M or 2% turnover for procedural violations; up to EUR 20M or 4% turnover for violations of core principles, data subject rights, and transfer rules.

How Orizon Helps

Data Mapping & Inventory

Identify all personal data flows, processing activities, and data stores across your organisation to establish a complete processing register (Art. 30).

Legal Basis Assessment

Determine the appropriate lawful basis for each processing activity. Review consent mechanisms, contract necessity, and legitimate interest assessments.

Privacy Impact Assessments

Conduct DPIAs for high-risk processing activities. Assess necessity, proportionality, and implement measures to address identified risks.

Rights Fulfilment Framework

Build processes to handle data subject requests within required timelines: access, rectification, erasure, portability, and objection requests.

Breach Response Readiness

Establish a 72-hour breach notification process, including detection, assessment, authority notification, and data subject communication procedures.

Ongoing Compliance Monitoring

Implement continuous monitoring, regular audits, staff training, and policy reviews to maintain compliance and demonstrate accountability.

Official Sources

Assess Your Compliance

Expert guidance for your GDPR compliance journey.

Get Started