Guide Data Privacy Compliance

GDPR compliance for businesses in the EU: what you actually need to have in place

Eight years after GDPR came into force, a significant number of organisations still have gaps in the basics: no lawful basis documented, breach response plans that skip the 72-hour notification window, and data processing records that have never been updated. This guide covers the obligations that matter most and how to address them practically.

CT
Cyvra Team
Cyvra Consultancy
29 April 2026
8 min read
Key takeaways
  • GDPR applies to any organisation processing EU residents' data, regardless of where that organisation is based
  • Every processing activity must have a documented lawful basis before it starts, not after a complaint arrives
  • You have 72 hours to notify your supervisory authority after discovering a breach that poses a risk to individuals
  • Data subject rights requests must be responded to within one month, at no cost to the individual
  • Tier 2 fines can reach €20 million or 4% of global annual turnover, whichever is higher

Who GDPR applies to

GDPR's extraterritorial scope is the part most organisations underestimate. Article 3 makes the regulation apply to any organisation that processes the personal data of individuals in the EU or EEA, regardless of where the organisation is established. A company based in New York selling software subscriptions to Dutch businesses, or a Brazilian firm monitoring the browsing behaviour of French website visitors, is subject to GDPR. Location of your servers or your legal entity is not the determining factor. Processing EU residents' data is.

The regulation distinguishes between two roles. A data controller is any organisation that determines the purposes and means of processing personal data. A data processor acts on behalf of a controller. Both roles carry obligations under GDPR, but controllers bear primary responsibility. If you use a third-party tool to process customer data, you are the controller and that vendor is your processor: their compliance failures can become your regulatory exposure.

Special category data

GDPR applies stricter rules to special category data: health and medical information, biometric data used for identification, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sexual orientation or sex life. Processing this data requires an additional condition from Article 9 on top of a standard lawful basis. Healthcare organisations, HR departments, and any platform collecting health-related information should review their Article 9 basis carefully.

The six lawful bases for processing

Every processing activity must rest on one of the six lawful bases in Article 6. Choosing the right one matters because it determines what rights apply and what you must communicate to individuals. Organisations frequently default to consent when a more appropriate basis would serve better and create fewer ongoing obligations.

1
Consent
The individual has given clear, informed, freely given, and withdrawable consent. Appropriate for optional services and marketing. Consent must be as easy to withdraw as to give.
2
Contract
Processing is necessary to perform a contract with the individual, or to take pre-contractual steps at their request. Covers processing customer data to deliver a paid service.
3
Legal obligation
Processing is required by EU or member state law. Covers payroll tax records, anti-money-laundering checks, and other legally mandated activities.
4
Vital interests
Processing is necessary to protect someone's life. A narrow basis, relevant in medical emergencies where consent cannot be obtained.
5
Public task
Processing is necessary for a task carried out in the public interest or in the exercise of official authority. Applies primarily to public bodies and certain regulated activities.
6
Legitimate interests
Processing is necessary for the legitimate interests of the controller or a third party, provided those interests are not overridden by the rights of the individual. Requires a documented balancing test.

Legitimate interests is the most flexible basis but also the most scrutinised. It requires a three-part test: identifying the legitimate interest, confirming the processing is necessary for that interest, and balancing it against the individual's rights. That balancing test should be documented, not just assumed.

Your four core obligations

Records of Processing Activities

Article 30 requires organisations to maintain a Record of Processing Activities (RoPA): a written inventory of every way you process personal data. Each entry should cover the purpose of processing, the categories of data and data subjects involved, any third parties you share data with, transfers to countries outside the EEA, and how long the data is retained.

Organisations with fewer than 250 employees are technically exempt from the full RoPA requirement unless their processing is not occasional, involves special category data, or presents a risk to individuals. In practice, most businesses processing customer data, employee data, or health information should maintain one. It is the foundation of every other compliance activity, and regulators request it at the start of almost every investigation.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is required before starting any processing that is likely to result in a high risk to individuals. Article 35 specifies that a DPIA is always required for large-scale processing of special category data, systematic and extensive profiling that significantly affects individuals, and large-scale monitoring of publicly accessible areas. Supervisory authorities also publish lists of processing types that require a DPIA in their jurisdiction.

A DPIA is not a one-time exercise. If you materially change a processing activity covered by an existing DPIA, the assessment should be reviewed and updated.

Breach notification

Article 33 requires you to notify your national supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. If you cannot provide full details within 72 hours, you must notify with what you know and provide more information as it becomes available. The 72-hour clock starts when you become aware of the breach, not when it occurred.

Where the breach is likely to result in a high risk to individuals, Article 34 also requires you to notify the affected individuals directly, without undue delay. There is no minimum threshold for what counts as a breach: a misdirected email containing personal data is a breach and needs to be assessed against these notification requirements.

72h
to notify your supervisory authority after discovering a breach posing risk to individuals
€20M
maximum Tier 2 fine, or 4% of global annual turnover, whichever is higher
8
individual rights that data subjects can exercise over their personal data

Data Protection Officer

A DPO is mandatory under Article 37 in three situations: you are a public authority or body; your core activities require large-scale, systematic monitoring of individuals; or your core activities involve large-scale processing of special category data. The DPO must be given the resources to perform their tasks independently and report directly to the highest level of management.

Even where a DPO is not legally required, appointing one or designating a senior data protection lead signals accountability to regulators and ensures someone owns the compliance programme. Supervisory authorities consistently note that the absence of any internal ownership of data protection is a significant aggravating factor in enforcement decisions.

Data subject rights

GDPR grants individuals eight rights over their personal data. You must be able to respond to any of these requests within one calendar month, free of charge. Extensions of up to two additional months are possible for complex or numerous requests, but you must notify the individual within the first month that you are extending.

1
Right to be informed
Individuals must receive clear, transparent information about how you process their data, usually delivered through a privacy notice at the point of collection.
2
Right of access
Individuals can request a copy of the personal data you hold about them and information about how it is being processed.
3
Right to rectification
Individuals can require you to correct inaccurate personal data or complete incomplete data.
4
Right to erasure
Also known as the right to be forgotten. Individuals can request deletion of their data where there is no compelling reason to continue processing it.
5
Right to restrict processing
Individuals can request that you limit how you use their data in certain circumstances, such as while accuracy is being contested.
6
Right to data portability
Where processing is based on consent or contract and carried out by automated means, individuals can request their data in a structured, machine-readable format.
7
Right to object
Individuals can object to processing based on legitimate interests or for direct marketing. Direct marketing objections must be honoured immediately and unconditionally.
8
Rights re. automated decisions
Individuals have the right not to be subject to solely automated decisions that significantly affect them, unless specific conditions apply.
Common failure point

The one-month response window for subject access requests catches many organisations off guard because the data they need to retrieve spans multiple systems: CRM, email, HR software, support tickets, and backups. Without a clear process and nominated owner, requests frequently go past the deadline. A late or incomplete response is independently reportable to the supervisory authority by the individual.

The fine structure

GDPR fines operate on two tiers, and the distinction matters because the top tier covers the most common compliance failures.

Tier 1 fines cover less serious infringements, primarily procedural and technical obligations: failing to maintain adequate records of processing, not implementing appropriate technical measures, failing to appoint a DPO when required. Tier 1 can reach €10 million or 2% of global annual turnover.

Tier 2 fines apply to the most serious infringements: violating core processing principles (lawfulness, fairness, transparency, purpose limitation, data minimisation), processing without a valid lawful basis, infringing data subject rights, and unlawful international transfers. Tier 2 fines can reach €20 million or 4% of global annual turnover, whichever is higher.

Fines are not the only enforcement tool available. Supervisory authorities can issue warnings, reprimands, temporary or permanent bans on processing, and orders to notify affected individuals. The Dutch Autoriteit Persoonsgegevens has been increasingly active: its published enforcement decisions cover everything from inadequate cookie consent to insufficient breach notification at large employers.

Getting your programme in order

If your data protection programme has not been reviewed recently, start with the RoPA. A current, accurate processing register makes every other compliance activity easier: lawful basis reviews, DPIAs, privacy notice updates, and breach response all depend on knowing what you process and why.

  • Audit your current processing activities and document each one in your RoPA, including the lawful basis for each activity.
  • Review your privacy notices to ensure they match what you actually do, not what you intended to do when they were last written.
  • Build a breach response procedure that includes the 72-hour notification step explicitly, with a named person responsible for regulatory communication.
  • Map your data flows to third-party processors. Every processor relationship should be governed by a Data Processing Agreement as required by Article 28.
  • Check whether you transfer personal data outside the EEA. Post-Brexit UK, and any transfers to countries without an adequacy decision, require appropriate transfer mechanisms such as Standard Contractual Clauses.
  • Test your response to subject access requests with a simulated request before a real one arrives.
  • If you process special category data or conduct large-scale monitoring, confirm whether a DPIA is required and, if one exists, whether it is current.

The Autoriteit Persoonsgegevens accepts voluntary breach reports and questions from organisations working through compliance gaps. Coming to a regulator with a remediation plan in hand is consistently treated more favourably than being found non-compliant during an audit. Our audits and compliance team works with organisations at every stage of building a GDPR programme, from initial gap assessments to ongoing DPO support.

Frequently asked questions

Does GDPR apply to my business if we are based outside the EU?

Yes. GDPR applies to any organisation that processes the personal data of individuals in the EU or EEA, regardless of where the organisation itself is based. This is the extraterritorial scope set out in Article 3. If you sell goods or services to EU residents, or monitor the behaviour of individuals in the EU, you are subject to GDPR even if you have no office or legal entity within the EU.

What is a Record of Processing Activities and do we need one?

A Record of Processing Activities (RoPA) is a documented inventory of every way your organisation processes personal data: what data you hold, who you share it with, how long you keep it, and the lawful basis for processing. Article 30 requires organisations with 250 or more employees to maintain a full RoPA. Smaller organisations are only required to maintain records for processing that is not occasional, involves special category data, or could risk the rights of individuals. In practice, most organisations processing customer, employee, or health data should maintain one regardless of size.

When must we appoint a Data Protection Officer?

A Data Protection Officer is mandatory under GDPR Article 37 in three situations: if you are a public authority or body; if your core activities require large-scale, systematic monitoring of individuals; or if your core activities involve large-scale processing of special category data (health, biometric, criminal conviction data, etc.). Even if none of these apply to you, appointing a DPO voluntarily is advisable if your data processing is complex or high-risk, as it demonstrates accountability to regulators.

What counts as a personal data breach under GDPR?

A personal data breach is any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers more than just cyberattacks: a misdirected email, a lost laptop, or an accidentally public file share all qualify. Not every breach needs to be reported, but you must assess the risk to individuals and notify your supervisory authority within 72 hours if there is a likely risk to people's rights and freedoms.

What are the maximum fines for GDPR violations?

GDPR fines operate on two tiers. Tier 1 covers less serious infringements (mostly procedural and technical obligations) and allows fines up to €10 million or 2% of global annual turnover, whichever is higher. Tier 2 covers the most serious infringements, including violations of core processing principles, breach of the lawful basis requirement, and infringement of data subject rights. Tier 2 fines can reach €20 million or 4% of global annual turnover. Supervisory authorities can also issue warnings, reprimands, temporary processing bans, and orders to communicate breaches to affected individuals.

Talk to Cyvra

Not sure where your GDPR programme has gaps?

We run data protection gap assessments and provide ongoing DPO support for organisations in the Netherlands and UK.

Get in Touch Our Compliance Services