GDPR compliance, run as a system rather than a spreadsheet
General Data Protection Regulation · European Union & EEA
The GDPR is the European Union's data protection regulation. It requires a lawful basis for every act of processing personal data, a documented record of processing activities, fulfilment of data subject requests within one month, breach notification within 72 hours, and the ability to demonstrate compliance on request.
Who it applies to
- Any organisation established in the EU or EEA that processes personal data
- Any organisation anywhere that offers goods or services to people in the EU
- Any organisation anywhere that monitors the behaviour of people in the EU
- There is no revenue or headcount threshold — a 10-person company outside Europe can be fully in scope
What it requires
A lawful basis for every processing activity
One of six: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent is one option, and often the wrong one.
A record of processing activities (Article 30)
Purposes, categories of data and data subject, recipients, third-country transfers, retention periods, and security measures — kept current, not written once.
Data subject rights, inside the deadline
Access, rectification, erasure, restriction, portability, and objection. One month to respond, extendable by two for complex requests.
Breach notification within 72 hours
To the supervisory authority from the moment you become aware, where the breach poses a risk to individuals. To the individuals themselves if the risk is high.
DPIAs for high-risk processing (Article 35)
Required before you start, not after. Profiling, large-scale special-category data, and systematic monitoring are the headline triggers.
Accountability
You must be able to demonstrate all of the above. Doing the work and being unable to evidence it is, to a regulator, the same as not doing it.
Penalties
Up to €20 million or 4% of global annual turnover, whichever is higher. The lower tier — for record-keeping and security failures — reaches €10 million or 2%.
RegRely runs GDPR today
Every workflow below is live: data subject requests, records of processing, consent, compliance scans, risk, and audit-ready evidence.