Policify
Compliance Guide

GDPR Compliance Guide 2026

The General Data Protection Regulation sets the global standard for data privacy. Whether you run a startup, an e-commerce store, or a global SaaS — if you process personal data of EU or UK residents, GDPR applies to you. Here is everything you need to know to comply, backed by real regulatory examples and instant tooling to get compliant fast.

€20M or 4%
Maximum GDPR fine (whichever is higher)
of global annual turnover
450M+
EU/EEA residents protected
by GDPR's fundamental rights framework
180+
Countries with transfer restrictions
requiring adequacy or safeguards
Generate GDPR PolicyView all policies

What is GDPR?

The General Data Protection Regulation(Regulation (EU) 2016/679) is the European Union's flagship data protection law. It came into force on 25 May 2018, replacing the 1995 EU Data Protection Directive (Directive 95/46/EC) that had governed data protection across the bloc for over two decades.

GDPR was designed to harmonise data protection law across EU member states, give individuals stronger rights over their personal data, and impose meaningful accountability on organisations that collect and use that data. Rather than creating a patchwork of national laws, GDPR introduced a single regulation with direct effect in all EU member states — no transposition into national law required.

Its significance extends far beyond Europe's borders. GDPR's extra-territorial scope (Article 3) means that any organisation anywhere in the world that offers goods or services to EU residents, or monitors their behaviour online, must comply. This has effectively made GDPR the de facto global data protection standard, influencing similar laws in Brazil (LGPD), California (CCPA/CPRA), Canada, India, and dozens of other jurisdictions.

Came into force
25 May 2018
Regulation number
EU 2016/679
Replaces
Directive 95/46/EC (1995)
Maximum fine (Tier 2)
€20M or 4% global turnover
Maximum fine (Tier 1)
€10M or 2% global turnover
Response deadline (DSAR)
1 calendar month (extendable to 3)
Breach notification window
72 hours to supervisory authority
UK equivalent
UK GDPR + Data Protection Act 2018
Supervisory authority (EU)
National DPAs + EDPB
Supervisory authority (UK)
ICO (Information Commissioner)

Who Must Comply with GDPR?

GDPR applies to any organisation — regardless of size or location — that processes personal data of individuals in the EU/EEA. Compliance is not optional, and “we're a small business” is not an exemption.

Article 3(1)

EU / EEA Businesses

Any organisation established in the EU or EEA that processes personal data as part of its activities — regardless of whether the processing itself takes place in the EU. This includes sole traders, startups, charities, and large enterprises alike.

Article 3(2)

Non-EU Businesses Targeting EU Residents

Organisations outside the EU that offer goods or services to individuals in the EU/EEA (even free services), or that monitor the behaviour of EU/EEA individuals (e.g. via analytics, tracking, or profiling). Must typically appoint an EU representative.

Article 28

Data Processors

Organisations that process personal data on behalf of a controller — such as cloud providers, SaaS vendors, payroll bureaux, and marketing agencies. Processors have direct obligations under GDPR and can be fined independently of the controller.

The 7 GDPR Principles

Article 5 of GDPR sets out seven core principles that must govern all personal data processing. These are not aspirational — they are binding obligations. Failure to comply with any of them can result in enforcement action, including the largest fines.

Principle 1

Lawfulness, Fairness & Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner. You must have a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) and be open with data subjects about how their data is used.

Principle 2

Purpose Limitation

Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Secondary uses require a fresh legal basis or must be compatible with the original purpose.

Principle 3

Data Minimisation

Only collect data that is adequate, relevant, and limited to what is necessary for the purpose. Avoid collecting data "just in case" — every data point you hold is a liability if mishandled.

Principle 4

Accuracy

Personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay. Build mechanisms to allow data subjects to update their information.

Principle 5

Storage Limitation

Data must not be kept in a form that identifies individuals for longer than necessary for the purpose. Define — and enforce — retention periods. Anonymise or delete data when the purpose is fulfilled.

Principle 6

Integrity & Confidentiality

Data must be processed with appropriate security to protect against unauthorised access, loss, destruction, or damage. Implement technical and organisational measures proportionate to the risk — encryption, access controls, audit logs, and staff training.

Principle 7

Accountability

The data controller bears responsibility for — and must be able to demonstrate — compliance with all other principles. This means maintaining documentation, conducting DPIAs, training staff, and implementing governance frameworks.

Remember

Compliance must be demonstrable

Under the accountability principle, it is not enough to be compliant — you must be able to prove it. Maintain documentation, conduct audits, and train your team.

Individual Rights Under GDPR

Chapter III of GDPR grants data subjects eight distinct rights. Your privacy policy must explain these rights, and you must have processes in place to honour them within the statutory timeframes.

Right of Access

Art. 15

Individuals can request a copy of all personal data held about them, plus details of how it is being used, where it came from, and with whom it has been shared.

Right to Rectification

Art. 16

Individuals can require correction of inaccurate personal data and completion of incomplete data, without undue delay.

Right to Erasure

Art. 17

The 'right to be forgotten' — individuals can request deletion of their data in certain circumstances, e.g. when consent is withdrawn, the purpose is fulfilled, or the processing was unlawful.

Right to Data Portability

Art. 20

Where processing is based on consent or contract and carried out by automated means, individuals can receive their data in a structured, commonly used, machine-readable format and transmit it elsewhere.

Right to Object

Art. 21

Individuals can object to processing based on legitimate interests or the performance of a public task at any time, including objecting to direct marketing — which carries an absolute right to stop.

Right to Restriction of Processing

Art. 18

In certain circumstances, individuals can require processing to be restricted — meaning data can be stored but not otherwise used — while accuracy is contested or an objection is pending.

Rights re: Automated Decision-Making

Art. 22

Individuals have the right not to be subject to solely automated decisions — including profiling — that produce legal or similarly significant effects, unless specific conditions apply and safeguards are in place.

Right to be Informed

Arts. 13–14

Individuals must be provided with clear information about how their data is collected and used — at the point of collection (directly obtained) or within one month (indirectly obtained). This is typically delivered via a privacy policy.

Required Documentation

GDPR compliance requires more than a privacy policy on your website. The following documentation forms the backbone of a defensible compliance programme. Having these in place dramatically reduces your exposure in the event of a regulatory inquiry or breach.

Privacy Policy

Your primary transparency document under Articles 13 and 14. Must cover: identity of the controller, purposes and legal bases, retention periods, individual rights, and third-party recipients.

Generate Privacy Policy →

Data Processing Agreement (DPA)

Required under Article 28 whenever you engage a processor (e.g. a cloud provider, email platform, or payroll service). Must include subject matter, nature, purpose, and duration of processing.

Records of Processing Activities (ROPA)

Required under Article 30 for organisations with 250+ employees, or those whose processing poses a risk to individuals' rights, is not occasional, or includes special category or criminal data. Describes all processing activities.

Consent Records

Where consent is your legal basis, you must maintain records proving consent was freely given, specific, informed, and unambiguous. Records must include who consented, when, and to what.

Data Protection Impact Assessment (DPIA)

Required under Article 35 before undertaking high-risk processing — e.g. large-scale profiling, systematic monitoring of public areas, or processing special category data. A DPIA identifies and mitigates privacy risks.

Breach Notification Procedure

Document your internal process for detecting, reporting, and responding to data breaches. Must enable 72-hour supervisory authority notification and, where required, individual notification without undue delay.

Cookie Policy

A dedicated disclosure of all cookies and trackers used on your website, their purposes, lifetimes, and the third parties they share data with. Required alongside a functioning consent mechanism.

Generate Cookie Policy →

Notable GDPR Fines

Regulators have demonstrated willingness to impose substantial fines for serious violations. These cases illustrate the types of failures that attract enforcement — and the scale of penalties your organisation could face.

Meta (Facebook)

2023 · Irish DPC
€1.2 billion

Illegal transfers of EU user data to the United States without adequate safeguards following the invalidation of Privacy Shield.

Amazon

2021 · Luxembourg CNPD
€746 million

Advertising targeting practices conducted without valid consent, constituting unlawful processing of personal data.

WhatsApp (Meta)

2021 · Irish DPC
€225 million

Transparency failures — the privacy policy and information provided to users did not clearly explain how personal data was shared between WhatsApp and other Meta companies.

TikTok

2023 · Irish DPC
€345 million

Processing of children's personal data without adequate safeguards, including public-by-default account settings and inadequate age verification for under-13s.

Fines are illustrative of regulatory priorities. Source: public DPA decisions and the GDPR Enforcement Tracker. Fine amounts reflect the original decision and may be subject to appeal.

Policify

How Policify Helps You Comply

Policify is an AI compliance template engine purpose-built for teams that need production-quality GDPR documentation without paying solicitor rates for every update. Here is what we cover:

120+ GDPR-Ready Policy Templates

Generate privacy policies, DPAs, cookie policies, ROPA templates, breach notification procedures, DPIA frameworks, and more — all referencing the correct GDPR articles, tailored to your business.

Learn more

Quality Verification on Every Document

Every generated document is verified for accuracy and completeness before delivery.

Learn more

DSAR Management Built In

Track and respond to data subject access requests with built-in workflow tooling. Log receipt dates, set response deadline reminders, and maintain your audit trail in one place.

Learn more

Cookie Consent Management (CMP)

Deploy a GDPR-compliant cookie consent banner that granularly captures, records, and syncs consent across your website — no more hard-coded cookie scripts that ignore user preferences.

Learn more

180 Jurisdiction Coverage

Whether you need EU GDPR, UK GDPR, or need to handle cross-border transfers to specific countries, Policify generates documents referencing the right legal framework for your situation.

Learn more

Instant & Always Up to Date

Generate in under 60 seconds. As regulatory guidance evolves — SCCs, new adequacy decisions, DPA enforcement priorities — Policify's generation engine is updated to reflect current best practice.

Learn more

GDPR Compliance Checklist

Use this checklist as a starting point for your GDPR compliance programme. It is not exhaustive — your obligations depend on your specific activities, data types, and jurisdictions. We recommend reviewing with qualified legal counsel.

Start generating GDPR documents
Privacy policy published, accessible from every page, and reviewed in the past 12 months
Cookie consent mechanism (CMP) in place — consent recorded before non-essential cookies fire
Data Processing Agreements signed with all processors who access personal data
Records of Processing Activities (ROPA) maintained and kept current
DSAR procedure documented and tested — including 30-day response tracking
Data breach detection, reporting, and notification procedure documented
DPIAs completed for any high-risk processing activities
Staff who handle personal data trained on GDPR obligations and your policies
Data minimisation review — are you collecting only what you genuinely need?
Privacy by design embedded in new product and feature development processes

GDPR Frequently Asked Questions

Common questions from business owners, developers, and marketers navigating GDPR.

Does GDPR apply to my business if I am based outside the EU?

Yes. GDPR has extra-territorial scope under Article 3. If your organisation is established outside the EU but offers goods or services to individuals in the EU/EEA, or monitors their behaviour (e.g. via analytics or cookies), GDPR applies to those processing activities. Non-EU organisations often need to appoint an EU representative under Article 27.

What's the difference between GDPR and UK GDPR?

UK GDPR is the retained EU GDPR, incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications Regulations 2019. It is substantively identical to EU GDPR in most respects, with the ICO (Information Commissioner's Office) as the supervisory authority instead of an EU DPA. Organisations operating in both the UK and EU must comply with both frameworks independently.

Do I need a Data Protection Officer (DPO)?

A DPO is mandatory under Article 37 for: (1) public authorities or bodies, (2) organisations whose core activities require large-scale, regular and systematic monitoring of individuals (e.g. search engines, ad networks), and (3) organisations whose core activities involve large-scale processing of special category data or criminal conviction data. Other organisations may appoint a DPO voluntarily — which can be a prudent governance decision even when not strictly required.

What counts as personal data under GDPR?

Personal data is any information relating to an identified or identifiable natural person (a 'data subject'). This includes names, email addresses, IP addresses, cookie identifiers, location data, device IDs, and any other information that can directly or indirectly identify a living individual. Pseudonymised data still falls within GDPR's scope if re-identification is possible. Truly anonymised data — where identification is irreversible — falls outside GDPR's scope.

How long do I have to respond to a Data Subject Access Request (DSAR)?

Under GDPR Article 12, you must respond to a DSAR without undue delay and at the latest within one calendar month of receiving the request. Where requests are complex or numerous, you may extend by a further two months, but must inform the data subject within the first month and explain why. The response must be provided free of charge unless the request is manifestly unfounded or excessive.

What should I do if I have a data breach?

Under GDPR Article 33, you must notify your lead supervisory authority (e.g. the ICO in the UK, or the relevant EU DPA) within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk to individuals, you must also notify those individuals without undue delay under Article 34. Document all breaches in your internal breach register, even those you decide not to notify.

Not legal advice. Policify is a technology provider — not a law firm. The information on this page is for general informational purposes and does not constitute legal advice. Laws change. Enforcement priorities evolve. Before relying on any of the above for your specific situation, consult a qualified solicitor or data protection practitioner.

Related Compliance Guides

🇺🇸CCPA / CPRACalifornia, USARead guide 🇧🇷LGPDBrazilRead guide 🇨🇦PIPEDA / Law 25CanadaRead guide 🌐All Jurisdictions180 countriesRead guide
Get compliant today

Generate GDPR-Compliant Policies in Under 60 Seconds

Stop putting off GDPR compliance. Policify generates production-quality privacy policies, cookie policies, DPAs, and 118 more document types — AI-reviewed, jurisdiction-aware, and always up to date. Start free.

Generate GDPR Privacy PolicyGenerate Cookie Policy

Technology provider — not a law firm. Review generated documents with qualified counsel before publication.