GDPR
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the European Union's landmark data protection law, governing how organisations collect, process, store, and protect personal data of individuals within the EU and EEA. Adopted in April 2016 and applied since 25 May 2018, GDPR replaced the Data Protection Directive 95/46/EC with a directly applicable regulation that harmonises data protection rules across all 27 Member States. Eight years of enforcement have established GDPR as the global benchmark for privacy regulation, with EUR 4.3 billion in cumulative fines issued by national data protection authorities. GDPR enshrines fundamental rights — including access, rectification, erasure, and data portability — while imposing strict obligations on controllers and processors, mandatory Data Protection Officer appointments, 72-hour breach notification, and penalties of up to 4% of global annual turnover. FortisEU operationalises GDPR compliance with automated data mapping, DSAR workflow management, breach notification tracking, and DPO reporting dashboards — all hosted on sovereign EU infrastructure.
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
GDPR Fine Calculator
Estimate your organisation’s maximum GDPR fine exposure based on infringement tier, global turnover, and aggravating or mitigating factors.
GDPR Template Pack
Pre-built GDPR compliance templates: privacy notices, DPIA templates, DSAR response procedures, data processing agreements, and records of processing activities.
NIS2 vs ISO 27001 Comparison
Side-by-side analysis of NIS2 cybersecurity requirements and ISO 27001 information security controls — relevant for organisations aligning GDPR security measures with broader compliance frameworks.
Common Questions
Who does GDPR apply to?
GDPR applies to any organisation — regardless of size or location — that processes personal data of individuals in the EU/EEA. Article 3 establishes broad territorial scope: it applies to controllers and processors established in the EU (regardless of where processing takes place), and to non-EU organisations that offer goods or services to EU data subjects or monitor their behaviour within the EU. This means a US-based SaaS company serving EU customers, or a Singapore analytics firm tracking EU website visitors, is subject to GDPR.
What are the maximum GDPR fines?
GDPR establishes two tiers of administrative fines under Article 83. Tier 1 (Art. 83(4)): up to EUR 10,000,000 or 2% of total worldwide annual turnover for infringements relating to controller/processor obligations, certification bodies, or monitoring bodies. Tier 2 (Art. 83(5)): up to EUR 20,000,000 or 4% of total worldwide annual turnover for infringements of data processing principles, lawful basis conditions, data subject rights, or international transfer provisions. The landmark Meta Ireland fine of EUR 1.2 billion (May 2023) for US data transfers remains the largest GDPR penalty to date.
What is a Data Protection Officer and when is one required?
A Data Protection Officer (DPO) is an independent compliance role required under Article 37 when: (a) processing is carried out by a public authority or body, (b) the controller’s or processor’s core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale, or (c) core activities consist of processing special categories of data or personal data relating to criminal convictions on a large scale. The DPO must have expert knowledge of data protection law, report directly to the highest management level, and cannot be dismissed or penalised for performing their tasks.
How does GDPR interact with NIS2 and DORA?
GDPR, NIS2, and DORA are complementary EU regulations that may apply simultaneously. A cybersecurity incident affecting personal data can trigger GDPR breach notification (72 hours to DPA), NIS2 incident reporting (24-hour early warning to CSIRT), and DORA incident classification (for financial entities). Each regulation has distinct reporting channels, timelines, and content requirements. Organisations subject to multiple regimes should implement a unified incident response process that satisfies all applicable notification obligations in parallel.
What is the 72-hour breach notification requirement?
Under Article 33, controllers must notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it. The notification must describe the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and measures taken or proposed to address the breach. If notification is not made within 72 hours, the controller must provide reasons for the delay. Breaches likely to result in high risk to individuals also require direct communication to affected data subjects under Article 34.
How does FortisEU help with GDPR compliance?
FortisEU provides an integrated GDPR compliance platform covering data mapping and records of processing activities, automated DSAR workflow management with response deadline tracking, breach notification workflows aligned to the 72-hour timeline, DPIA templates and risk assessment tools, DPO dashboard with compliance posture reporting, and cross-framework mapping to NIS2 and DORA — all hosted on sovereign EU infrastructure with EU-based AI assistance for policy drafting and gap analysis.
Operationalise GDPR Compliance
Turn GDPR requirements into automated workflows, evidence collection, and audit-ready outputs. Create an account or schedule a personalised demo.