Marketers, business owners, and legal teams know the importance of complying with the GDPR, but the rules can still feel confusing and complex. Do you really need consent for every promotional email you send? How should you handle marketing analytics? What happens if your website or app collects data from EU users without their consent?
This guide is designed to bring you clarity. It focuses on what the regulation really means for your day-to-day operations. We’ve compiled 18 of the most common GDPR questions and addressed them in plain, practical language.
Key takeaways
- The GDPR applies to any organization worldwide that monitors, collects, or processes the personal data of individuals in the EU or EEA, regardless of company size, revenue, or other factors.
- To comply, businesses must process data lawfully, transparently, and for specific communicated purposes, while following the GDPR’s seven principles.
- Individuals have extensive rights over their data, which organizations must respect and facilitate, from access and correction to erasure and objection to processing.
- Noncompliance can lead to severe financial penalties of up to EUR 20 million or four percent of global annual turnover, plus other penalties and reputational damage.
- Tools like Usercentrics’ Consent Management Platform (CMP) help businesses collect and signal valid consent, document compliance, and stay up to date as regulatory requirements evolve.
The most common GDPR questions: What you need to know about the data privacy law
Even years after it was first introduced, the GDPR continues to raise questions for marketers and digital professionals. This section breaks down 18 of the most common GDPR questions with straightforward, real-world answers.
1. What is the GDPR?
The General Data Protection Regulation (GDPR) is a data privacy law introduced in the European Union in 2018. It dictates how organizations can collect, store, and use personal data belonging to residents in the European Union (EU) or European Economic Area (EEA), and gives individuals more control over their data.
The GDPR has extraterritorial scope, so applies to any company that monitors the behavior of EU/EEA residents or collects and/or processes their personal data. It doesn’t matter if the organization has a presence in or is based in the EU or not.
Marketers need a legal basis — of which user consent is one — to process personal data.
2. Why is the GDPR important?
The GDPR is important because it redefined how businesses can use personal data and how customers can expect that data to be treated. Because individuals can limit the data companies can access, or change or withdraw their consent at any time, companies only need comprehensive tools and processes to manage data.
For marketers, this has required completely reshaping strategies and workflows. You can no longer rely on pre-ticked boxes, vague privacy policies, or just doing what you want with data, whenever you want, for whatever purpose. Instead, oftentimes you need explicit, informed consent.
While it’s a framework that can be seen as restrictive, it’s also an opportunity for businesses. Transparency around data processing practices builds trust, and trust builds stronger long-term customer relationships.
3. Who does the GDPR apply to?
The GDPR applies to residents of EU Member States or EEA countries, with regards to privacy rights and data protection, as well as any organization that collects or processes their personal data, regardless of the organization’s location.
It applies to both data controllers — those who decide how and why data is processed — and data processors — those who handle data on behalf of another company — such as analytics platforms, email providers, or cloud services.
In many cases, however, the controller is ultimately responsible for processing operations, privacy compliance, and data protection by third-party processors that are contracted to it.
4. Does the GDPR apply outside of the EU?
Yes, the GDPR applies outside of the EU with regards to companies. What matters is where your data subjects are located, not where your business operates. The GDPR does not apply to residents of regions outside of the EU/EEA, though, like the United States or Japan, when they are in those countries.
For example, if you’re an Australia-based e-commerce business with website visitors or customers located in any of the GDPR countries, you need to comply with the regulation. US companies need to comply with the GDPR if they process the personal data of EU or EEA residents, even if operations are entirely stateside.
5. What are the GDPR fines?
GDPR fines are financial penalties that can be imposed on organizations that fail to comply with the regulation, underwritten by Art. 83 GDPR. The severity of GDPR enforcement depends on several factors, including the nature of the violation, the company’s cooperation with authorities, and whether the breach was intentional or due to negligence.
Tier one administrative fines can be up to EUR 10 million, or two percent of the company’s annual revenue, whichever is higher. Tier two penalties are doubled, and can reach EUR 20 million, or four percent of annual revenue, whichever is higher.
The GDPR also provides a private right of action for individuals whose rights were violated, so people can sue companies for damages from a data breach or other violation.
The steepest GDPR penalty to date was issued in May 2023, when the Irish Data Protection Commission fined Meta Platforms Ireland Limited EUR 1.2 billion for transferring European Facebook user data to the United States without adequate safeguards, violating regulation’s data transfer rules.
6. What constitutes personal data under the GDPR?
Art. 4 GDPR defines personal data as any information that relates to an identified or identifiable individual. This includes personal information that can directly identify a data subject, such as names, email addresses, phone numbers, national ID numbers, or online identifiers.
Even data that seems harmless on its own may count as personal data if it can be combined with other information to identify an individual. For example, the combination of a job title, company name, and work location could identify a person within a small organization.
7. What is sensitive personal data?
Sensitive personal data refers to special categories of data that merit processing limitations and stronger protection under the GDPR because they could significantly impact an individual’s fundamental rights and freedoms if compromised.
This includes information about a person’s racial or ethnic origin, political opinions and affiliation, religious or philosophical beliefs, inherent or acquired genetic characteristics, physical or mental health, and sexual orientation, as well as biometric data.
Processing sensitive personal data is generally prohibited unless specific conditions are met. For example, explicit consent from the individual is usually required, or the processing must be necessary for reasons of public interest, healthcare, or to fulfil legal obligations.
8. What are GDPR consent requirements?
Under the GDPR, consent must be freely given, specific, informed, and unambiguous. Individuals must actively agree to the processing of their personal data for a clearly defined purpose, per Art. 7 GDPR and Recital 32.
GDPR-compliant consent must also be specific to each purpose. If you want to use a person’s data for multiple activities, such as both email marketing and personalized advertising, you must obtain separate consent for each purpose.
Additionally, consent must be easy to withdraw at any time. Organizations must provide simple mechanisms for individuals to revoke consent. Those mechanisms should make withdrawing consent as easy as giving it. Ideally, it should also be as easy to change consent preferences even if you don’t want to completely revoke consent.
Finally, businesses need to keep records of consent. These should include who consented, when, and what information they were provided with. These need to be kept up to date over time and should be easy to provide to data protection authorities or individuals making a data subject access request (DSAR).
9. What are the 7 GDPR requirements/principles?
The GDPR includes seven key principles that organizations must follow when processing personal data. These GDPR principles form the foundation of the regulation and guide how data should be collected, used, and stored.
- Lawfulness, fairness, and transparency: Data must be processed legally, fairly, and in a way that is clear to the data subject.
- Purpose limitation: Data should only be collected for specific, explicit, and legitimate purposes, and it must not be used in ways that are incompatible with those purposes. If purposes change, new consent must be obtained (if that’s the legal basis).
- Data minimization: Organizations should only collect and process the personal data necessary for the intended and stated purpose.
- Accuracy: Data must be accurate and kept up to date, and organizations must take reasonable steps to correct or delete inaccurate information, including when notified by a data subject.
- Storage limitation: Personal data should be retained only for as long as necessary to complete the intended purpose, and it must then be securely deleted or irretrievably anonymized.
- Integrity and confidentiality: Data must be processed securely to protect it against unauthorized access, loss, or damage.
- Accountability: Organizations are responsible for complying with these principles and must be able to demonstrate compliance.
10. What are data subject rights under the GDPR?
Under Chapter 3 GDPR, individuals, also known as data subjects, have certain rights that give them control over how their personal data is collected, used, and stored. Data subject rights include:
- Right to be informed: Individuals must be provided with clear and transparent information about how their data is collected and used.
- Right of access: Individuals can request access to their personal data and obtain a copy of it.
- Right to rectification: Individuals can request to correct inaccurate or incomplete data.
- Right to erasure: Also known as the right to be forgotten, individuals can request that their personal data be deleted in certain circumstances.
- Right to restrict processing: Individuals can request that their data is only used in limited ways, or that processing be temporarily halted, e.g., during a complaint investigation.
- Right to data portability: Individuals can request access to their data in a structured, machine-readable format to transfer it to another service.
- Right to object: Individuals can object to the processing of their data for certain purposes, such as direct marketing.
- Rights related to automated decision-making and profiling: Individuals can challenge decisions made solely by automated processes, including profiling.
11. What is a data subject access request (DSAR)?
A data subject access request (DSAR) is an individual’s formal request to exercise their personal data rights. Under the GDPR, individuals have the right to know what data is being collected, how it’s being processed, and for what purposes.
When an organization receives a DSAR, it’s required to provide the requested information in a clear and understandable format, usually within one month of the request. Requests may include copies of personal data, information on data sources, details about who the data has been shared with, and the legal basis for processing it.
12. What is a record of processing activities (RoPA)?
A record of processing activities (RoPA) is a documented inventory of all the ways an organization processes personal data. Under Art. 30 GDPR, most organizations are required to maintain a RoPA to demonstrate accountability and compliance with the regulation.
A RoPA typically includes details such as the types of personal data collected, the purposes for which it’s processed, categories of data subjects, data recipients, storage locations, retention periods, and any third parties involved in processing.
13. What is a data protection impact assessment (DPIA)?
A data protection impact assessment (DPIA) is a process used to identify and minimize the privacy risks associated with the collection, storage, and processing of personal data.
Under Art. 35 GDPR, organizations are required to conduct a DPIA whenever a processing activity is likely to result in a high risk to an individual’s rights and freedoms, particularly when new technologies are in use.
Conducting a risk assessment involves analyzing the types of data processed, the purposes of processing, potential risks to individuals’ privacy, and the measures in place to mitigate those risks.
DPIAs help organizations keep data management secure and compliant, particularly when introducing new technologies, systems, or processes that could impact privacy.
14. Does the GDPR apply to small businesses?
The GDPR applies to small businesses, startups, and sole proprietors, just as it does to larger organizations. Compliance is not based on the size of a business as it is under some US data privacy laws.
While small businesses may have simpler operations than large corporations, they are still responsible for handling personal data lawfully, securely, and transparently.
The GDPR recognizes that small businesses may have fewer resources, but it does not exempt them from its requirements. Noncompliance can still result in fines and reputational damage, even when it doesn’t make headlines. Small businesses need to understand and adhere to GDPR requirements, albeit on a smaller scale.
15. What is a data protection officer (DPO)?
A data protection officer (DPO) is a professional responsible for overseeing an organization’s data protection strategy and ensuring ongoing compliance with GDPR and other relevant privacy regulations, frameworks, and policies.
According to Art. 38 GDPR, a DPO serves as the point of contact between the organization, data subjects, and supervisory authorities.
The main responsibilities of a DPO include:
- Monitoring data processing activities
- Advising on GDPR requirements
- Conducting audits
- Providing staff training
- Helping manage data breaches or data subject requests
Not every organization has to have a DPO, however, organizations that process large amounts of personal data, handle sensitive information, or monitor individuals systematically are legally required to appoint a DPO under the GDPR.
16. What does the GDPR say about data breaches?
Under the GDPR, a personal data breach is any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Organizations are required to have measures in place to detect, communicate, and investigate data breaches promptly.
If a breach is likely to result in a risk to individuals’ rights and freedoms, the organization must notify the relevant data protection authority within 72 hours of becoming aware of the breach, according to Art. 33 GDPR.
Art. 34 GDPR also requires organizations to inform individuals affected by high-risk breaches without undue delay so they can take steps to protect themselves.
17. Does the GDPR require encryption?
The GDPR doesn’t explicitly mandate encryption for all personal data, but Art. 32 GDPR does require organizations to implement appropriate technical and organizational measures to safeguard personal data. Encryption is specifically mentioned as one of the recommended data security measures, particularly when data is stored or transmitted.
The purpose of these measures is to reduce the risk of unauthorized access, loss, or disclosure of personal data. Encryption can help organizations demonstrate compliance with the GDPR’s principle of integrity and confidentiality.
18. Did Brexit affect the GDPR?
Yes, Brexit had an impact on how the GDPR applies in the United Kingdom (UK). After the UK left the EU, the GDPR was incorporated into UK law as the UK GDPR, alongside the UK’s Data Protection Act (DPA) of 2018.
The UK GDPR was initially essentially the same as the EU GDPR, though some minor modifications reflect the UK’s specific legal context, and as UK law evolves — like with the Data (Use and Access) Act coming into force — differences between the two versions are increasing.
Companies that collect, process, or store the data of individuals located across the EU and the UK need to comply with both data protection legislations. Currently there is an adequacy agreement between the two jurisdictions regarding cross-border data transfers.
Achieve GDPR compliance with confidence
GDPR compliance is necessary for any organization that collects or handles the personal data of individuals residing or located in the EU/EEA. While the regulation can seem complex, ongoing compliance is achievable with the right processes, documentation, and tools in place.
Usercentrics provides consent management solutions and resources that support GDPR compliance across organizations’ websites, mobile apps, and other connected platforms.
A geolocation-powered consent management platform (CMP) means that your customers see the right consent banner wherever they’re located (and in their preferred language), so you can collect and record GDPR-compliant consent. Detailed user interaction analytics help you find ways to optimize opt-in rates and better understand your customers’ behavior.
Most importantly, the platform automatically updates as the regulation evolves, helping you avoid risky and potentially costly compliance gaps. With Usercentrics, you can manage consent transparently, reduce your compliance risks, and continue to deliver effective marketing campaigns without compromising on data protection.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.
