Table of Contents
- What is GDPR?
- A brief history of GDPR
- Who does GDPR apply to?
- The seven key principles of GDPR
- Individual rights under GDPR
- GDPR penalties and enforcement
- How companies can ensure GDPR compliance
- GDPR and contracts: data processing agreements and vendor obligations
- How to make a website GDPR-compliant
- Can click-to-accept agreements be used for GDPR compliance?
- Legal’s role in GDPR compliance
- Examples of GDPR impact
- Managing GDPR compliance with the right tools
- Frequently asked questions about GDPR
Want more content like this? Sign up for our monthly newsletter.
Key takeaways:
- Understand that GDPR applies to any organization processing EU residents’ data regardless of location, with penalties up to €20 million or 4% of global revenue for non-compliance.
- Build compliance by conducting a complete data inventory, obtaining valid consent, implementing security measures, appointing oversight, creating request-handling processes, conducting impact assessments, and monitoring continuously.
- Execute data processing agreements with every vendor handling personal data on your behalf, as you remain legally responsible for data protection even when third parties process the information.
- Use the seven core principles (lawfulness, purpose limitation, data minimization, accuracy, storage limitation, security, accountability) as your framework when evaluating any data practice.
Most legal professionals don’t think about data privacy law until something forces them to. A new vendor contract lands on your desk with unusual data sharing terms. Your sales team wants to launch a product in Europe. A customer sends a formal request to delete all their information from your systems. Suddenly, the General Data Protection Regulation (GDPR) goes from an abstract compliance topic to a very concrete operational challenge.
That’s exactly the situation this guide is designed for. Whether you’re orienting yourself for the first time or trying to get your team aligned on what GDPR actually requires, this overview covers what the regulation is, who it applies to, and what your organization needs to do about it.
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data privacy law that governs how organizations collect, use, and protect personal data. It took effect on May 25, 2018, establishing strict requirements for businesses worldwide.
GDPR fundamentally changed how organizations handle personal information. Companies must now obtain explicit consent, implement strong security measures, and give individuals control over their data.
The regulation applies to any organization that processes EU residents’ data, regardless of where that organization is located. This global reach makes GDPR one of the most influential privacy frameworks in the world.
What counts as personal data under GDPR?
Under the GDPR, personal data is any information that relates to an identified or identifiable living person. This includes obvious things like names, email addresses, and ID numbers, but it also covers web data like location details, IP addresses, and cookie identifiers. If you can use a piece of data to figure out who someone is, it counts.
The regulation also carves out a special category for sensitive personal data—things like health records, biometric data, religious beliefs, and political opinions. These require even stricter protections and typically need explicit consent before processing.
A brief history of GDPR
Before the GDPR, Europe relied on the 1995 Data Protection Directive. But as the internet grew and data collection became a massive part of doing business, those old rules could not keep up. The EU drafted the GDPR to modernize privacy laws and give individuals more control over their digital footprints.
The regulation was adopted in April 2016 and officially went into effect on May 25, 2018, after a two-year transition period. That date immediately forced companies to rethink their data strategies, or risk significant penalties.
GDPR has evolved through several key regulatory updates and clarifications since 2018. In July 2020, the Court of Justice of the European Union issued a ruling in the Schrems II case, which invalidated the EU-US Privacy Shield framework for data transfers and placed new restrictions on Standard Contractual Clauses. The European Data Protection Board continues to publish guidance on topics like consent, data protection impact assessments, and cross-border processing.
Who does GDPR apply to?
The short answer is that the GDPR applies to any organization that processes the personal data of people inside the EU. It does not matter where your company is headquartered. If you are collecting data from EU residents, you have to play by these rules.
The regulation applies to two types of entities: data controllers (organizations that decide why and how personal data is processed) and data processors (counterparties that process data on behalf of controllers). Both carry compliance obligations, though controllers bear the primary responsibility.
Does GDPR apply to US companies?
GDPR applies to US businesses that process data from EU residents, regardless of where your company is located. If your website, app, or service reaches European customers, you must comply with GDPR requirements.
Non-compliance carries serious consequences. Companies face fines up to €20 million or 4% of global annual revenue, whichever is higher. Beyond financial penalties, GDPR violations damage reputation and erode customer trust.
GDPR’s influence extends beyond enforcement. The regulation sparked a wave of US privacy legislation, including the California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (CDPA).
The seven key principles of GDPR
The entire regulation is built on seven core principles that dictate how you should handle data:
- Lawfulness, fairness, and transparency: You need a valid reason to process data, and you have to be upfront about it.
- Purpose limitation: Only use data for the specific reason you collected it.
- Data minimization: Do not collect more information than you actually need. According to the 2026 Most GC Pursue a Costly & Ineffective Contract Analytics Strategy Gartner report, a targeted “just-what’s-needed” approach to gathering information improves a legal department’s ability to produce high-quality analytics by nearly four times compared to a broad “just in case” strategy.
- Accuracy: Keep personal data correct and up to date.
- Storage limitation: Delete data when you no longer need it for your stated purpose.
- Integrity and confidentiality: Keep the data secure from unauthorized access or accidental loss.
- Accountability: You must be able to prove that you are following all of these principles.
These principles inform every other provision of the regulation. If you are ever unsure whether a particular data practice is compliant, come back to these fundamentals.
Individual rights under GDPR
The GDPR gives individuals specific rights regarding their personal information. They have the right to know what data you have on them, the right to access it, and the right to correct any mistakes. They also have the right to be forgotten, meaning they can ask you to delete their data entirely.
Other key rights include the right to restrict processing, the right to data portability (receiving their data in a commonly used format), and the right to object to certain types of processing like direct marketing. Your organization needs processes in place to handle these requests quickly and efficiently, typically within one month.
GDPR penalties and enforcement
Regulators take the GDPR seriously, and the penalties for ignoring it are steep. Non-compliance with the GDPR can result in fines of up to 4% of a company’s global annual revenue or €20 million, whichever is greater. Less severe violations can still result in fines up to €10 million or 2% of global revenue.
Beyond the financial hit, non-compliance can severely damage your reputation and vendor relationships. EU regulators have shown they are willing to enforce these rules against companies of all sizes, from multinational tech giants to small businesses.
How companies can ensure GDPR compliance
Knowing GDPR applies to you is one thing. Building a program that actually satisfies its requirements is another. Meeting those requirements involves seven essential steps, and the first two lay the groundwork for everything else.
Understanding your data landscape is the foundation of GDPR compliance. Conduct a complete inventory of all personal data your organization collects, processes, and stores. Document how data flows through your systems, where it’s stored, and which third parties access it.
Obtaining valid consent requires meeting four specific criteria. Your consent requests must be freely given, specific to each purpose, clearly explained, and unambiguous in their intent. Users must actively opt in rather than opt out.
From there, the remaining five steps translate that foundation into operational controls:
- Implement security measures: Put appropriate technical and organizational safeguards in place to protect personal data, including access controls, encryption, and regular backups. This is especially urgent given that only two percent of businesses have implemented firm-wide cyber resilience.
- Appoint a Data Protection Officer (DPO): Designate a DPO, or at least someone who oversees GDPR compliance, particularly if your organization processes large volumes of personal data.
- Respond to data subject requests: Build a process to handle requests from individuals, including requests for access to their data, deletion, and corrections, within the required timeframes.
- Conduct data protection impact assessments (DPIAs): Run DPIAs for high-risk processing activities, such as large-scale data processing or handling sensitive personal data.
- Monitor compliance: Regularly review your GDPR program, including internal policies, procedures, staff training, third-party contracts, and data protection impact assessments.
GDPR compliance requires a comprehensive and ongoing effort to protect personal data and ensure the rights of individuals are respected.
GDPR and contracts: data processing agreements and vendor obligations
When you share personal data with third-party vendors, you are still responsible for keeping that data safe. The GDPR requires you to have a data processing agreement (DPA) in place with any vendor that handles personal data on your behalf. These contracts legally bind your vendors to the same strict privacy standards that you follow.
A solid DPA should spell out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data involved, and the obligations of both parties. If a vendor makes a mistake and you do not have a solid agreement in place, your organization is the one on the hook.
Here’s where contract management becomes critical to GDPR compliance. You need to track which vendors have access to personal data, ensure each relationship is covered by a compliant DPA, and monitor those agreements for renewals and updates. For organizations with dozens or hundreds of vendor relationships, this becomes a significant operational challenge without the right systems in place.
How to make a website GDPR-compliant
Website GDPR compliance requires six specific actions. The first and most visible is consent. After that, five additional requirements cover how you communicate, protect, and manage the data you collect.
Consent mechanisms must capture explicit agreement before any data processing begins. Ask visitors to actively consent to cookies, tracking, and data processing before these activities start. Make each consent request specific to its purpose, clearly explained, and easy to understand.
Provide a privacy policy: Websites should provide a clear and concise privacy policy that outlines what personal data is collected, how it is used, who it is shared with, and how it is protected. The policy should also include contact information for a Data Protection Officer (DPO), or other data-protection resource.
Implement security measures: Websites should implement appropriate technical and organizational security measures to protect personal data, including access controls, encryption, and regular backups.
Enable data subject rights: Websites should provide a way for visitors to exercise their GDPR rights, including the right to access, correct, and delete personal data.
Use compliant third-party services: Websites should ensure that any third-party services used on the site, such as analytics, advertising, or social media plugins, are GDPR-compliant.
Obtain parental consent for minors: If a website is intended for use by children under the age of 16, parental consent should be obtained before collecting personal data.
GDPR compliance entails a comprehensive and ongoing effort to protect personal data and ensure the rights of individuals are respected. Talk with the legal and technical experts on your team to implement these GDPR-compliant measures.
Can click-to-accept agreements be used for GDPR compliance?
Click-to-accept agreements meet GDPR requirements when properly designed. These agreements must clearly explain what data you’re collecting, how you’ll use it, who receives it, and how long you’ll keep it.
The language in your click-to-accept agreement should be plain and concise. Avoid burying important consent terms in lengthy legal terms and conditions, and always provide an easy opt-out option.
Generally, click to accept agreements can be used for GDPR compliance if they are designed in a way that respects individuals’ rights to control their personal data. Work with your legal team to ensure your click-to-accept agreements are designed to meet GDPR requirements.
Legal’s role in GDPR compliance
The legal team plays an important role in ensuring GDPR compliance within a company. Legal is typically responsible for managing legal affairs and advising the company on legal matters, including data protection and privacy issues.
Specifically, the legal team’s role in GDPR compliance may include:
- Providing guidance on GDPR compliance: Advising the company on the requirements of the GDPR, and helping to develop policies and procedures to ensure compliance
- Conducting risk assessments: Helping the company to identify areas of risk related to GDPR compliance, and developing strategies to mitigate those risks.
- Reviewing contracts: Reviewing contracts with third-party vendors to ensure that they are GDPR compliant, and negotiating GDPR-related provisions where necessary.
- Managing data subject access requests: Overseeing the process for handling data subject access requests, which are requests from individuals to access their personal data held by the company.
- Monitoring and responding to data breaches: Overseeing the company’s response to data breaches, which includes identifying the breach, assessing the risk, notifying the appropriate authorities and affected individuals, and implementing remedial measures.
The legal team plays a critical role in ensuring that the company complies with the GDPR, and in protecting the privacy rights of individuals whose data the company processes.
Examples of GDPR impact
GDPR created four major shifts in how businesses handle data worldwide.
Data privacy awareness increased dramatically. Organizations now recognize their legal obligations to protect personal information, and individuals understand their rights to control their data.
Compliance requirements became significantly stricter. Companies must obtain explicit consent before collecting personal data and implement robust security measures to protect that information, with data protection now the #1 influence on cybersecurity spending decisions.
Enforcement followed suit. The GDPR gave EU regulators more power to act on data protection violations and impose meaningful penalties on businesses that fall short. Non-compliance with the GDPR can result in fines of up to 4% of a company’s global annual revenue or €20 million, whichever is greater.
The regulation’s reach extended well beyond Europe. Many businesses and organizations around the world have had to comply with the regulations in order to do business with EU customers or partners.
The impact of the GDPR extends beyond legal and compliance obligations. It has fostered a cultural shift by increasing public awareness and expectations regarding data privacy rights. Yet 67% of Americans still say they understand little to nothing about what companies do with their personal data, underscoring higher expectations for organizations to handle their personal information responsibly.
Managing GDPR compliance with the right tools
Keeping track of data processing agreements, vendor obligations, and privacy policies across hundreds of contracts is nearly impossible to do manually. As technology and data use continue to evolve, so do compliance requirements, which means your contract management processes need to keep pace. It’s no surprise that according to Gartner’s AI, Contract Analytics Stand Out on 2H25 GC Agenda report, nine percent of general counsel rank the use of contract analytics and technology tools as their most urgent priority for the next six months to help uncover risks and accelerate processes.
Most CLM platforms help teams store and organize their contracts in one place. Ironclad lets you track data processing agreements, monitor vendor obligations, and manage compliance workflows automatically. By centralizing your agreements, you can easily prove accountability and keep your data practices secure. Request a demo today.
Frequently asked questions about GDPR
The seven main principles are lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles form the foundation of how organizations must handle personal data and inform every other provision of the regulation.
The US does not have a single federal equivalent to the GDPR. Instead, privacy is regulated at the state level. The most well-known equivalent is the California Consumer Privacy Act (CCPA), which gives California residents similar rights over their personal data. Other states like Virginia, Colorado, and Connecticut have enacted their own privacy laws as well.
While the GDPR is complex, its core components generally revolve around data protection principles, individual data rights, accountability and governance measures, and strict rules for cross-border data transfers. These components work together to create a comprehensive framework for protecting personal information.
A data processing agreement is a legally binding contract between a data controller and a data processor. It outlines exactly how the processor will handle, store, and protect personal data to ensure they meet GDPR standards. The GDPR requires these agreements whenever you share personal data with a third party that processes it on your behalf.
A data controller decides why and how personal data is processed—they determine the purposes and means of processing. A data processor is a third party that processes the data on behalf of the controller, following the controller’s instructions. Both have strict obligations under the GDPR, but the controller holds the primary responsibility for compliance.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney. Use of and access to any of the resources contained within Ironclad’s site do not create an attorney-client relationship between the user and Ironclad.
Sources
- Gartner, Most GC Pursue a Costly & Ineffective Contract Analytics Strategy, James Crocker, Rachel Pakianathan, and Rithika Lanka, 24 February 2026.
- Gartner, AI, Contract Analytics Stand Out on 2H25 GC Agenda, Dian Zhang and Laura Cohn, 1 August 2025.



