The General Data Protection Regulation (GDPR) came into force across the European Union in May 2018 and remains the most influential data protection law in the world. It governs how organisations collect, store, process, and share the personal data of individuals in the EU and EEA. GDPR applies not only to European companies but to any business worldwide that offers goods or services to EU residents or monitors their behaviour — meaning a company based in India or the United Arab Emirates serving European customers is fully within scope.
Core Principles
GDPR is built on six data processing principles: lawfulness, fairness, and transparency; purpose limitation (data collected for one purpose cannot be silently repurposed); data minimisation (collect only what you need); accuracy; storage limitation (do not retain data longer than necessary); and integrity and confidentiality (appropriate security). These principles are not aspirational — supervisory authorities use them as the basis for enforcement decisions.
Legal Bases for Processing
Every processing activity must rest on one of six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent under GDPR is far stricter than pre-ticked boxes or vague opt-ins — it must be freely given, specific, informed, and unambiguous, and it must be as easy to withdraw as to give. Many organisations have shifted toward legitimate interests assessments for marketing and analytics rather than relying on cookie consent banners for all processing.
Individual Rights
- Right of access:Individuals can request a copy of all personal data held about them within 30 days.
- Right to rectification:Incorrect data must be corrected promptly.
- Right to erasure:The "right to be forgotten" — data must be deleted when it is no longer necessary or when consent is withdrawn.
- Right to portability:Data provided by the individual must be delivered in a machine-readable format.
- Right to object:Individuals can object to processing based on legitimate interests, including direct marketing.
Penalties
GDPR carries some of the highest regulatory fines in any area of law. Serious infringements — security breaches, unlawful processing, international transfers without safeguards — can attract fines of up to €20 million or 4% of annual global turnover, whichever is higher. Meta, Google, Amazon, and WhatsApp have each faced fines exceeding €200 million.
GDPR and Dictode
Dictode helps businesses operating in European markets design systems that are GDPR-compliant from the ground up — data mapping, consent management, access request workflows, and breach notification procedures. Compliance is an architecture decision as much as a legal one, and we ensure it is built into your software rather than bolted on afterwards.