GDPR Compliance
The General Data Protection Regulation (GDPR) is the European Union's primary data protection law, governing how organisations collect, process, store, and share personal data. Enforced since May 2018, it applies to any organisation that processes the personal data of EU residents — regardless of where that organisation is based. Fines reach up to €20 million or 4% of global annual turnover, whichever is higher.
What is GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) came into force on 25 May 2018, replacing the 1995 Data Protection Directive. It is directly applicable across all EU member states and creates a single set of rules for data protection throughout the EU. It also applies to processors outside the EU that offer goods or services to, or monitor the behaviour of, EU residents — the so-called "extraterritorial scope."
GDPR is built on seven foundational principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Every data processing activity in your organisation must be defensible against all seven.
The regulation grants individuals eight core rights: the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling.
Key GDPR Requirements
The most critical GDPR obligations for businesses. GeraCompliance automates compliance with each.
Lawful Basis & Consent
Every processing activity needs a lawful basis — consent, contract, legal obligation, vital interests, public task, or legitimate interests. When you rely on consent, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consent are not valid.
Data Portability
Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. Organisations must provide this within one month of request at no charge.
Right to Erasure
The "right to be forgotten" allows individuals to request deletion of their personal data when it is no longer necessary for the purpose it was collected, consent is withdrawn, or processing was unlawful. Organisations must respond within one month.
Data Protection Officer (DPO)
Certain organisations are required to appoint a DPO: public authorities, organisations that carry out large-scale systematic monitoring of individuals, or organisations that process special categories of data at scale. The DPO must have expert knowledge of data protection law.
Data Breach Notification
Personal data breaches must be reported to the supervisory authority within 72 hours of becoming aware of the breach (where feasible). If the breach is likely to result in high risk to individuals, those individuals must also be notified without undue delay.
Privacy by Design
Data protection must be built into systems and processes from the start, not bolted on afterwards. Data minimisation, purpose limitation, and storage limitation must be embedded in every product and workflow that handles personal data.
GeraCompliance GDPR Tools
Everything you need to achieve and maintain GDPR compliance, automated.
GDPR Audit
Full automated audit of your data processing activities. Identifies compliance gaps and generates a prioritised remediation plan.
Data Mapping
Automatically map your data flows — what data you collect, where it lives, how it is processed, and who has access. Required for your Records of Processing Activities (RoPA).
Privacy Notice Generator
Generate GDPR-compliant privacy notices tailored to your specific data processing activities and legal bases.
Consent Management
Build and manage compliant consent flows. Track consent records with timestamps and withdrawal mechanisms.
DSR Workflow
Automated Data Subject Request workflows for erasure, portability, access, and objection requests. Tracks deadlines and generates responses.
Breach Response
Structured breach notification workflow. Guides you through 72-hour supervisory authority notification and individual communication requirements.
GDPR FAQ
Does GDPR apply to my business if I'm based outside the EU?
Yes. GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is established. If you have EU customers or website visitors from the EU, GDPR applies to you.
What counts as personal data under GDPR?
Personal data is any information relating to an identified or identifiable living person. This includes names, email addresses, IP addresses, cookie identifiers, location data, and any other data that can directly or indirectly identify someone.
What are the penalties for GDPR violations?
GDPR fines are tiered. Less serious violations carry fines of up to €10 million or 2% of global annual turnover. More serious violations — including processing without a lawful basis or violating data subject rights — carry fines of up to €20 million or 4% of global annual turnover.
Do I need a Data Protection Officer (DPO)?
You are required to appoint a DPO if you are a public authority, if your core activities require large-scale, regular, and systematic monitoring of individuals, or if you process special categories of data or criminal conviction data at large scale. Many businesses outside these categories appoint one voluntarily.
Run Your GDPR Audit
Find your compliance gaps, generate your Records of Processing Activities, and get a step-by-step remediation plan. Takes 20 minutes.