GDPR Explained

What is GDPR?

The General Data Protection Regulation is a European Union law that came into force on 25 May 2018. It governs how organisations collect, store, and use personal data — and it applies to any website or business that handles data belonging to EU residents, regardless of where the business is based.

Why does it exist?

Before GDPR, data protection rules across Europe were fragmented and largely toothless. Companies collected personal data freely, sold it to brokers, and faced minimal consequences when things went wrong.

GDPR replaced the 1995 Data Protection Directive with a single, enforceable framework and real penalties. It shifted the default: instead of users having to opt out of data collection, organisations now have to justify every piece of data they collect.

The short version: users own their data. Businesses are just borrowing it — with permission.

Who does GDPR apply to?

GDPR applies if any of the following are true:

  • Your organisation is based in the EU or EEA
  • You offer goods or services to people in the EU (even for free)
  • You monitor the behaviour of people in the EU (e.g. analytics, retargeting)

In practice, if your website is publicly accessible and you run Google Analytics or have a contact form, GDPR almost certainly applies to you.

The 6 things GDPR requires

Lawfulness & transparency

You must have a valid legal reason to collect data (consent, contract, legal obligation, etc.) and be upfront with users about what you collect and why.

Purpose limitation

Data collected for one purpose can't be quietly repurposed. If you collect an email for a newsletter, you can't use it for targeted ads without separate consent.

Data minimisation

Only collect what you actually need. If your contact form doesn't need a phone number, don't ask for it.

User rights

Users can request a copy of their data (Subject Access Request), ask for it to be deleted (Right to Erasure), and correct inaccurate records. You must be able to fulfil these.

Data transfers

Sending personal data outside the EU/EEA requires safeguards — Standard Contractual Clauses (SCCs) or ensuring the destination country has adequate protections.

Breach notification

If you suffer a data breach affecting user rights, you must notify your supervisory authority within 72 hours and, in serious cases, inform the affected users.

What does it mean for your website?

For most websites, GDPR compliance comes down to a handful of practical requirements:

  • Cookie consent bannerUsers must be able to accept or reject non-essential cookies before they're set.
  • Privacy policyMust clearly explain what data you collect, why, how long you keep it, and who you share it with.
  • Form consentContact and signup forms need a clear, unchecked consent checkbox — no pre-ticked boxes.
  • Secure connection (HTTPS)Transmitting personal data over unencrypted HTTP fails GDPR's "appropriate technical measures" requirement.
  • Third-party scripts disclosedEvery analytics or tracking tool you use must be listed in your privacy policy.
  • Contact informationUsers must be able to find who controls their data and how to contact them.

What are the fines?

GDPR fines are tiered. Regulators tend to go after systemic violations or wilful negligence rather than honest mistakes — but small businesses are not exempt, and DPAs (Data Protection Authorities) across Europe are increasingly active.

Tier 1€10 million or 2% of global turnover

Failing to keep records, not having a DPA in place, not notifying a breach

Tier 2€20 million or 4% of global turnover

Violating core principles, ignoring user rights, unlawful data transfers

Fines are whichever is higher — the fixed amount or the percentage of global annual turnover. Notable examples: Meta fined €1.2 billion (2023), Amazon €746 million (2021), Google €150 million (2022).

Common myths

"I'm not based in the EU so it doesn't apply to me"

Reality: GDPR applies based on where your users are, not where you are. A US-based SaaS with EU customers is fully in scope.

"I'm too small to be fined"

Reality: Small businesses have been fined. German, Spanish, and Italian DPAs regularly issue fines under €50k. The risk scales with harm, not just company size.

"A cookie banner is enough"

Reality: A cookie banner is just one requirement. Without a compliant privacy policy, form consent, and data handling practices, you're still exposed.

"My privacy policy from 2018 is fine"

Reality: Regulations evolve. Enforcement guidelines have been updated, and your tools have probably changed. Outdated policies are a common finding in audits.

Check if your site is GDPR-compliant

Paste your URL and get a free scan in 30 seconds — 21 checks across SSL, cookie consent, privacy policy, forms, scripts, and more.

Scan my site free

Related guides

GDPR Compliance Checklist for WebsitesGDPR for Small BusinessesThe Biggest GDPR Fines of All TimeFree Privacy Policy Generator