What Is GDPR? The EU Data Protection Regulation Explained for Tech Companies
The GDPR — General Data Protection Regulation (EU Regulation 2016/679) — is the European Union's comprehensive data protection law that sets strict requirements for how organizations collect, process, store, and transfer personal data belonging to individuals in the EU and European Economic Area (EEA). Enacted in 2018, GDPR replaced the 1995 EU Data Protection Directive and fundamentally changed the global data privacy landscape — applying to any company worldwide that processes EU residents' personal data, regardless of where the company itself is based, with maximum fines of €20 million or 4% of global annual turnover (whichever is higher).
TL;DR — Key Takeaways
- GDPR applies to any organization that processes personal data of EU residents — including US companies with EU customers or users
- Personal data under GDPR is broadly defined: names, email addresses, IP addresses, cookie identifiers, location data, and more all qualify
- There are six lawful bases for processing personal data — and you must identify the correct one before collecting data, not after
- Data subjects (the individuals whose data you hold) have eight rights — including the right to access, correction, deletion ("right to be forgotten"), and data portability
- Data Protection Agreements (DPAs) are required with all data processors (vendors, SaaS tools) that handle EU personal data on your behalf
- Fines are substantial: up to €20 million or 4% of global annual revenue, plus reputational damage and regulatory scrutiny
- GDPR does not just apply to EU-based companies — any company with EU users or customers must comply
Who Does GDPR Apply To?
GDPR's territorial scope is broader than most organizations initially realize. It applies to:
Organizations established in the EU/EEA: Any company with an office, subsidiary, or establishment in an EU member state must comply with GDPR for all personal data processing activities.
Organizations outside the EU that offer goods or services to EU residents: If you operate a SaaS platform, website, or app that EU residents can use — even if you never specifically target Europe — GDPR likely applies. Indicators include: accepting payment in Euros, having a EU-language version of your site, or demonstrating awareness that users are in the EU.
Organizations that monitor EU residents' behavior: Companies that use tracking technologies (analytics, advertising pixels, behavioral targeting) applied to EU users are within GDPR scope.
The practical implication for US SaaS companies: If you have any EU customers or users, GDPR applies to you. It is not optional, and ignorance of the law does not prevent fines.
What Is Personal Data Under GDPR?
GDPR defines personal data as "any information relating to an identified or identifiable natural person." This is intentionally broad:
| Data Type | GDPR Personal Data? |
|---|---|
| Name and email address | Yes |
| IP address | Yes (in most cases) |
| Cookie identifiers | Yes |
| Device IDs | Yes |
| Location data | Yes |
| User account data | Yes |
| Employment records | Yes |
| Pseudonymized data (if re-identification is possible) | Yes |
| Aggregated, fully anonymized data | No |
Special categories of personal data (requiring stricter handling):
- Health and medical data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Sexual orientation
Special category data can only be processed under specific, narrowly defined conditions.
The Six Lawful Bases for Processing Personal Data
This is the conceptual heart of GDPR. Before you collect or use personal data, you must identify which of the six lawful bases justifies that processing:
| Lawful Basis | When It Applies | Common Use Case |
|---|---|---|
| Consent | The individual has given clear, freely given, specific, informed, and unambiguous consent | Newsletter subscriptions, marketing emails, non-essential cookies |
| Contract | Processing is necessary to perform a contract with the individual | Account creation, service delivery, billing |
| Legal obligation | Processing is required by law | Tax records, employment law compliance, fraud prevention |
| Vital interests | Processing is necessary to protect someone's life | Emergency health services |
| Public task | Processing is necessary for a task carried out in the public interest | Government agencies, public health authorities |
| Legitimate interests | Processing is necessary for your legitimate interests or those of a third party, unless overridden by the individual's rights | Fraud prevention, network security, B2B marketing (with caveats) |
Critical note on consent: GDPR consent must be freely given (not bundled with service terms), specific (granular — not one blanket consent), informed (clear explanation of purpose), and unambiguous (active opt-in — pre-ticked boxes do not qualify). You must also maintain records of consent and allow it to be withdrawn as easily as it was given.
Critical note on legitimate interests: This basis is frequently misused. Legitimate interests requires a three-part test: the interest must be legitimate, necessary, and not overridden by the individual's rights. It should never be used as a default catch-all.
The Eight Rights of Data Subjects
Individuals whose data you hold have these rights, which you must be operationally prepared to honor within the required timeframes (generally 30 days):
| Right | What It Means | Operational Requirement |
|---|---|---|
| Right to be informed | Individuals must be told how their data is used at the time of collection | Privacy notice / privacy policy; fair processing information |
| Right of access | Individuals can request a copy of their personal data (Subject Access Request / SAR) | Process to receive, verify, and respond to SARs within 30 days |
| Right to rectification | Individuals can request correction of inaccurate or incomplete data | Data correction workflow |
| Right to erasure (right to be forgotten) | Individuals can request deletion of their data under certain conditions | Data deletion capability across all systems and backups |
| Right to restrict processing | Individuals can request that processing is paused while a dispute is resolved | Ability to flag and restrict data without deleting it |
| Right to data portability | Individuals can receive their data in a machine-readable format | Data export in JSON, CSV, or other portable format |
| Right to object | Individuals can object to processing based on legitimate interests or for direct marketing | Opt-out mechanism; suspension of processing upon objection |
| Rights related to automated decision-making | Individuals can request human review of automated decisions with significant effects | Review process for algorithmic decisions affecting individuals |
Key GDPR Organizational Requirements
Privacy Notices
Required at the point of data collection. Must disclose: what data is collected, the lawful basis, how long it is retained, who it is shared with, international transfer mechanisms if applicable, and data subject rights.
Data Processing Agreements (DPAs)
Mandatory with every vendor, SaaS tool, or service provider that processes EU personal data on your behalf (data processors). DPAs must specify: the nature and purpose of processing, data types and categories, your obligations as controller, processor obligations (security measures, subprocessor restrictions, breach notification), and data deletion/return obligations.
Records of Processing Activities (RoPA)
Organizations with more than 250 employees, or who process sensitive data or data likely to result in risk to individuals, must maintain a written record of all processing activities.
Data Protection Officer (DPO)
Required for: public authorities, organizations that systematically monitor individuals at large scale, or organizations that process special category data at large scale. Many tech companies appoint a DPO voluntarily as a best practice even when not strictly required.
Data Protection Impact Assessments (DPIAs)
Required before implementing new processing activities that are likely to result in a high risk to individuals — including large-scale processing of special category data, systematic monitoring, or use of new technologies.
Breach Notification
- To the supervisory authority: Within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals
- To affected individuals: Without undue delay when the breach is likely to result in a high risk to their rights and freedoms
International Data Transfers
Transferring EU personal data outside the EU/EEA to countries that the European Commission has not deemed to provide "adequate" data protection (including, in most cases, the United States) requires a legitimate transfer mechanism:
| Transfer Mechanism | Description |
|---|---|
| Standard Contractual Clauses (SCCs) | EU Commission-approved model contracts between data exporters and importers; most common mechanism for EU-US transfers |
| Binding Corporate Rules (BCRs) | For intra-group transfers within multinationals; require regulatory approval |
| Adequacy decisions | Countries with EU-equivalent data protection laws (UK post-Brexit, Japan, Canada, etc.) — no additional mechanism needed |
| EU-US Data Privacy Framework (DPF) | Certification program for US companies; allows data transfers from EU to certified US organizations |
| Derogations | Explicit consent, vital interests, public interest — narrow exceptions for specific circumstances |
For most SaaS companies using US-based cloud infrastructure and serving EU customers, SCCs are the standard mechanism for legitimizing international data transfers.
GDPR vs. CCPA: The Key Differences
| GDPR | CCPA (California) | |
|---|---|---|
| Geographic scope | EU/EEA residents | California residents |
| Coverage | Any organization processing EU personal data | Companies above revenue/data volume thresholds |
| Lawful basis required | Yes — must identify one of six bases | No — opt-out model (data can be sold unless consumer opts out) |
| Consent model | Opt-in for marketing and special categories | Opt-out for data sale/sharing |
| Data subject rights | Eight rights | Right to know, delete, opt-out, non-discrimination |
| Private right of action | Limited — data breach cases | Yes — data breach cases |
| Fines | Up to 4% of global annual revenue | Up to $7,500 per intentional violation |
| DPO required? | Sometimes | No equivalent |
| Data transfer rules | Strict international transfer requirements | Not a primary focus |
Companies with global operations and EU + California users typically need both GDPR and CCPA compliance. The frameworks overlap in many areas (privacy notices, data deletion, data access rights) but have meaningful differences in approach that require distinct compliance activities.
How QuickTrust Helps With GDPR Compliance
GDPR compliance for a SaaS company requires both legal framework understanding and technical implementation — data mapping, access controls, encryption, breach detection, and the ability to honor data subject requests. QuickTrust's security engineers implement the technical controls alongside structured compliance documentation:
What QuickTrust delivers for GDPR:
- Data mapping and RoPA — Identify and document all personal data flows across your systems, third-party integrations, and cloud infrastructure
- Lawful basis analysis — Map each processing activity to the correct lawful basis; identify and remediate misaligned processing
- Privacy notice and policy development — Draft GDPR-compliant privacy notices, cookie policies, and data retention policies
- DPA management — Identify all data processors; execute and maintain Data Processing Agreements; review subprocessor chains
- Technical safeguards implementation — Engineers configure encryption, access controls, audit logging, data minimization controls, and deletion capabilities
- SCC implementation — Establish appropriate international transfer mechanisms for EU-US data flows
- Data subject request workflow — Build the operational processes to receive, verify, and respond to SARs, erasure requests, and portability requests within 30-day deadlines
- Breach detection and notification — Implement monitoring to detect personal data breaches; build the 72-hour notification workflow
Result: Technical and operational GDPR compliance. 90% reduction in engineering time. 100% audit pass rate on related security certifications.
GDPR FAQ
Do US companies need to comply with GDPR?
Yes, if they process personal data of EU residents. GDPR's territorial scope explicitly covers companies outside the EU that offer goods or services to EU residents or monitor EU residents' behavior. The nationality or location of the company is irrelevant — what matters is whether EU residents' personal data is being processed.
What is the difference between a data controller and a data processor?
A data controller determines the purposes and means of processing personal data — typically the company that collected the data and decides how to use it. A data processor processes personal data on behalf of the controller — typically a SaaS vendor, cloud provider, or analytics platform. Controllers bear primary GDPR accountability; processors have specific obligations defined by the GDPR and the DPA they sign with the controller.
Does GDPR require explicit consent for all data processing?
No — consent is just one of six lawful bases. Many routine business activities (processing data to fulfill a contract, maintaining employee records, fraud prevention) rely on contract performance, legal obligation, or legitimate interests rather than consent. Overusing consent creates problems — because consent can be withdrawn at any time.
What is a GDPR "right to be forgotten" and how technically complex is it?
The right to erasure requires organizations to delete an individual's personal data when the legal basis for processing no longer exists or when the individual withdraws consent (and no other lawful basis applies). Technically, this requires the ability to identify all locations where an individual's data is stored — across primary databases, backups, analytics systems, and third-party integrations — and delete it. Backups present a particular challenge; organizations must develop policies for handling deletion requests against backup data.
Can GDPR fines be applied to a small company?
Yes. GDPR's fine calculation is based on global annual revenue (not profit or local revenue), which means even small companies can face meaningful fines relative to their size. Supervisory authorities have fined companies of all sizes — from small businesses to global corporations. However, in practice, enforcement has concentrated heavily on larger organizations and significant violations. Small companies should still comply, but the risk calculus differs from a company processing data at scale.
Ready to Get Your GDPR Compliance Checklist?
Whether you're a US SaaS company newly facing EU customer requirements or a growing platform preparing for your first GDPR compliance review, QuickTrust's team implements the technical controls and documentation framework so you can demonstrate compliance with confidence.
Get your GDPR compliance checklist at trust.quickintell.com
Engineering-included. Policy-complete. 100% audit pass rate.