GDPR - Overview
The General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, is the European Union's comprehensive data protection law that governs the processing of personal data of individuals within the EU and the European Economic Area (EEA) [cite:536][cite:539]. Effective since May 25, 2018, GDPR replaced the 1995 Data Protection Directive and established a unified, directly applicable legal framework across all EU/EEA member states [cite:536]. It is the most significant and far-reaching data protection regulation in the world, with extraterritorial scope that applies to any organisation — regardless of location — that processes personal data of individuals who are physically in the EU [cite:527][cite:520]. Through March 2025, data protection authorities (DPAs) across the EU have imposed a cumulative €5.65 billion in fines across 2,245 enforcement actions, with the largest single fine reaching €1.2 billion against Meta Platforms for insufficient legal basis for data transfers [cite:537]. GDPR is built on seven foundational principles (lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity/confidentiality, and accountability) and grants individuals eight enforceable rights over their personal data [cite:536][cite:520]. The regulation's intersection with ISO 27001 is particularly tight — ISO 27001's information security management system provides the technical and organisational control framework that satisfies GDPR Article 32 (security of processing), and organisations frequently implement both simultaneously [cite:535][cite:538]. For AI systems, GDPR Article 22 imposes specific restrictions on automated decision-making, including profiling that produces legal or similarly significant effects — a provision with direct implications for any AI deployment processing personal data of EU residents [cite:566][cite:569].
GDPR - What It Is
Structure
The GDPR contains 99 articles organised across 11 chapters [cite:536]:
| Chapter | Title | Key Articles |
|---|---|---|
| I | General provisions | Art. 1–4: Subject matter, scope, definitions |
| II | Principles | Art. 5–11: Processing principles, lawful bases, consent, special categories |
| III | Rights of the data subject | Art. 12–23: Transparency, access, rectification, erasure, portability, objection, automated decision-making |
| IV | Controller and processor | Art. 24–43: Obligations, DPO, security, DPIA, codes of conduct, certification |
| V | Transfers to third countries | Art. 44–50: Adequacy, SCCs, BCRs, derogations |
| VI | Independent supervisory authorities | Art. 51–59: DPA establishment, independence, competence |
| VII | Cooperation and consistency | Art. 60–76: One-stop shop, EDPB, dispute resolution |
| VIII | Remedies, liability, penalties | Art. 77–84: Complaints, judicial remedy, compensation, fines |
| IX | Specific processing situations | Art. 85–91: Expression, public access, employment, research, religion |
| X | Delegated and implementing acts | Art. 92–93 |
| XI | Final provisions | Art. 94–99 |
Key Definitions
- Personal data — Any information relating to an identified or identifiable natural person ("data subject"), including name, identification number, location data, online identifiers (IP address, cookie IDs), and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity [cite:520][cite:536]
- Processing — Any operation performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction [cite:536]
- Controller — The natural or legal person, public authority, agency, or other body which determines the purposes and means of processing personal data [cite:536]
- Processor — A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller [cite:536]
- Special categories of data — Personal data revealing racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, and data concerning sex life or sexual orientation. Processing is prohibited unless a specific exception applies (Article 9) [cite:536]
GDPR - Who It Applies To
Territorial Scope (Article 3)
GDPR applies to [cite:527][cite:536]:
- Establishment in the EU — Any organisation with an establishment in the EU/EEA, regardless of whether the processing takes place in the EU
- Offering goods/services to EU residents — Any organisation outside the EU that offers goods or services (whether paid or free) to individuals in the EU
- Monitoring behaviour of EU residents — Any organisation outside the EU that monitors the behaviour of individuals in the EU (e.g., tracking, profiling, analytics)
This extraterritorial reach means that any organisation processing personal data of EU residents must comply, regardless of where the organisation is headquartered [cite:527][cite:536].
Key Roles
| Role | GDPR Responsibilities |
|---|---|
| Data controller | Determines purposes and means of processing; ensures compliance with all GDPR principles; implements appropriate TOMs; responds to data subject requests; reports breaches to DPA within 72 hours [cite:536][cite:564] |
| Data processor | Processes data only on controller's instructions; implements security measures (Art. 32); assists controller with DPIA, breach notification, and data subject rights; maintains records of processing activities [cite:536] |
| Data Protection Officer (DPO) | Mandatory for public authorities, large-scale monitoring operations, and large-scale special-category processing; advises on compliance; monitors implementation; serves as contact point for DPA and data subjects [cite:536][cite:544] |
| EU Representative | Required for non-EU controllers/processors offering goods/services to or monitoring EU residents (Art. 27); acts as local contact point for DPAs and data subjects [cite:568] |
| Data subjects | Individuals whose personal data is processed; hold enforceable rights under Chapter III [cite:536] |
Supervisory Authorities (DPAs)
Each EU/EEA member state has one or more independent supervisory authorities responsible for monitoring GDPR compliance, investigating complaints, and imposing penalties [cite:536]. The European Data Protection Board (EDPB) coordinates cross-border enforcement through the "one-stop shop" mechanism, where the DPA in the country of the controller's main establishment serves as the lead authority [cite:537].
GDPR - What It Requires - Principles and Lawful Basis
Seven Principles of Data Processing (Article 5)
All personal data processing must comply with these principles [cite:536][cite:520]:
| Principle | Requirement |
|---|---|
| Lawfulness, fairness, and transparency | Processing must have a lawful basis, be fair to data subjects, and be transparently communicated [cite:536] |
| Purpose limitation | Data must be collected for specified, explicit, and legitimate purposes and not further processed incompatibly [cite:536] |
| Data minimisation | Data collected must be adequate, relevant, and limited to what is necessary for the stated purpose [cite:536] |
| Accuracy | Personal data must be accurate and, where necessary, kept up to date; inaccurate data must be erased or rectified without delay [cite:536] |
| Storage limitation | Data must be kept in identifiable form no longer than necessary for the purposes for which it is processed [cite:536] |
| Integrity and confidentiality | Data must be processed in a manner ensuring appropriate security, including protection against unauthorised/unlawful processing and accidental loss/destruction/damage [cite:536] |
| Accountability | The controller must be able to demonstrate compliance with all six principles above (Art. 5(2)) [cite:536] |
The accountability principle is critical — it shifts the burden of proof to the controller. Organisations must not only comply but must be able to prove they comply through documented policies, procedures, DPIAs, records of processing activities, and audit trails [cite:536][cite:520].
Six Lawful Bases for Processing (Article 6)
At least one lawful basis must apply to every processing activity [cite:533][cite:542][cite:539]:
| Lawful Basis | Description | Key Requirements |
|---|---|---|
| (a) Consent | Data subject has given clear, specific, informed, and unambiguous consent | Must be freely given; easy to withdraw; cannot be bundled with other terms; records must prove consent was obtained [cite:533][cite:542] |
| (b) Contract | Processing is necessary for performance of a contract with the data subject or pre-contractual steps | Must be genuinely necessary, not merely convenient [cite:542] |
| (c) Legal obligation | Processing is necessary to comply with a legal obligation on the controller | Must be a specific legal requirement, not a general obligation [cite:542] |
| (d) Vital interests | Processing is necessary to protect the vital interests of the data subject or another person | Limited to life-or-death situations; rarely applicable [cite:539] |
| (e) Public task | Processing is necessary to perform a task in the public interest or exercise official authority | Applicable primarily to public authorities [cite:539] |
| (f) Legitimate interests | Processing is necessary for the legitimate interests of the controller or a third party, balanced against the rights of the data subject | Requires a balancing test; not available to public authorities for core tasks [cite:539][cite:542] |
GDPR - What It Requires - Data Subject Rights
Chapter III grants individuals eight enforceable rights [cite:536][cite:531]:
| Right | Article | Description |
|---|---|---|
| Right to be informed | Art. 13–14 | Transparent information about how data is collected, processed, stored, shared, and for how long [cite:536] |
| Right of access | Art. 15 | Right to obtain a copy of personal data and related processing information [cite:536] |
| Right to rectification | Art. 16 | Right to have inaccurate personal data corrected or incomplete data completed [cite:536] |
| Right to erasure ("right to be forgotten") | Art. 17 | Right to have personal data erased under specified conditions (consent withdrawn, data no longer necessary, unlawful processing, etc.) [cite:536] |
| Right to restriction of processing | Art. 18 | Right to restrict processing when accuracy is contested, processing is unlawful, or data is no longer needed but required for legal claims [cite:536] |
| Right to data portability | Art. 20 | Right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller [cite:536] |
| Right to object | Art. 21 | Right to object to processing based on legitimate interests or public task, including profiling; absolute right to object to direct marketing [cite:536] |
| Rights related to automated decision-making | Art. 22 | Right not to be subject to solely automated decisions producing legal or similarly significant effects (see dedicated section below) [cite:566][cite:572] |
Controllers must respond to data subject requests within one month, extendable by two months for complex or numerous requests [cite:536]. No charge may be imposed except for manifestly unfounded or excessive requests [cite:536].
GDPR - What It Requires - Security of Processing (Article 32)
Article 32 requires controllers and processors to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk [cite:564][cite:570].
Required Security Measures
Article 32(1) specifies, as appropriate [cite:570][cite:567]:
- (a) Pseudonymisation and encryption of personal data
- (b) Confidentiality, integrity, availability, and resilience of processing systems and services on an ongoing basis
- (c) Ability to restore availability and access to personal data in a timely manner after a physical or technical incident
- (d) Regular testing, assessing, and evaluating the effectiveness of technical and organisational measures
Risk-Based Approach
In determining appropriate measures, organisations must consider [cite:570][cite:567]:
- The state of the art in security technology
- The costs of implementation
- The nature, scope, context, and purposes of processing
- The risk of varying likelihood and severity for the rights and freedoms of individuals
- Risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data
ISO 27001 as Article 32 Implementation
Article 32(3) explicitly states that adherence to an approved code of conduct or certification mechanism may be used to demonstrate compliance [cite:570]. While ISO 27001 is not a GDPR-specific certification, it is widely recognised by DPAs as evidence of appropriate technical and organisational measures [cite:535][cite:538].
The relationship between ISO 27001 and GDPR Article 32 is particularly tight [cite:535][cite:538]:
| Dimension | GDPR Article 32 | ISO 27001:2022 |
|---|---|---|
| Risk assessment | Must assess risks to rights and freedoms of data subjects | Must assess risks to information security (Clause 6.1.2) [cite:538] |
| Risk treatment | Implement appropriate TOMs based on risk assessment | Implement controls based on risk treatment plan (Clause 6.1.3) [cite:573] |
| Confidentiality, integrity, availability | Explicitly required by Art. 32(1)(b) | CIA triad is the foundation of the ISMS [cite:538] |
| Encryption | Explicitly listed in Art. 32(1)(a) | Annex A.8.24 (use of cryptography) [cite:573] |
| Access control | Implied by integrity and confidentiality requirements | Annex A.5.15–5.18, A.8.2–8.5 [cite:573] |
| Business continuity | Art. 32(1)(c) — restore availability | Annex A.5.30 (ICT readiness for business continuity) [cite:573] |
| Testing effectiveness | Art. 32(1)(d) — regular testing and evaluation | Clause 9.1 (monitoring, measurement, analysis, evaluation) [cite:538] |
| Breach notification | Art. 33–34: 72-hour notification to DPA | Annex A.5.24–5.28 (incident management) [cite:538] |
| Evidence of compliance | Art. 5(2) accountability principle | Clause 7.5 documented information; certification audit trail [cite:535] |
Practical integration: Use the ISO 27001 risk matrix as the foundation, expanded to include the dimension "harm to the data subject." A server failure costs the company money (ISO risk); simultaneously, customer data could be lost (GDPR risk). By assessing both risks together, the DPIA becomes a specific use case of the generic ISO risk assessment [cite:538].
GDPR - What It Requires - Data Protection by Design and Default (Article 25)
Article 25 requires controllers to implement data protection principles from the earliest stages of system and process design [cite:536][cite:540]:
- By design — Take data protection into account throughout the product and data lifecycle, from the determination of means of processing through actual processing. Implement appropriate technical and organisational measures (pseudonymisation, encryption, data minimisation) designed to implement data protection principles effectively [cite:536]
- By default — Ensure that by default, only personal data necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of processing, the storage period, and accessibility. Data must not be made accessible without the individual's consent to an indefinite number of natural persons [cite:536]
DPAs consistently cite failures of data protection by design and default in enforcement actions — Meta's €405M Instagram fine and €265M Facebook data-scraping fine both involved violations of this principle [cite:534][cite:540].
GDPR - What It Requires - Data Protection Impact Assessment (Article 35)
A DPIA is a documented, methodical risk review required before any processing that is likely to result in a high risk to the rights and freedoms of individuals [cite:541][cite:547].
When Is a DPIA Required?
A DPIA is mandatory when processing involves [cite:541]:
- Systematic and extensive evaluation of personal aspects through automated processing, including profiling, with legal/significant effects
- Large-scale processing of special categories of data or criminal conviction data
- Systematic monitoring of publicly accessible areas on a large scale
- Any processing on the DPA's published list of operations requiring a DPIA
DPIA Content (Article 35(7))
A DPIA must contain [cite:541]:
- A systematic description of the processing operations and purposes, including legitimate interests
- An assessment of the necessity and proportionality of the processing in relation to the purposes
- An assessment of the risks to the rights and freedoms of data subjects
- The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure compliance
DPIA and ISO 27001 Integration
The DPIA process maps directly to the ISO 27001 risk assessment and treatment process [cite:538][cite:535]:
- ISO 27001 Clause 6.1.2 (risk assessment) provides the methodology
- The DPIA adds the GDPR-specific lens of "risk to data subjects" (not just risk to the organisation)
- ISO 27001 controls (Annex A) provide the treatment options
- Organisations already implementing ISO 27001 can extend their existing risk methodology to satisfy DPIA requirements [cite:538]
GDPR - What It Requires - International Data Transfers (Chapter V)
Transferring personal data to countries outside the EU/EEA is restricted unless an appropriate safeguard is in place [cite:565][cite:574].
Transfer Mechanisms
| Mechanism | Description | Status |
|---|---|---|
| Adequacy decision (Art. 45) | European Commission determines that a third country ensures an adequate level of protection. Data flows freely without additional safeguards | 16 jurisdictions hold adequacy status as of December 2025, including Japan, South Korea, UK, and certain US commercial organisations under the EU-US Data Privacy Framework [cite:577][cite:571] |
| Standard Contractual Clauses (Art. 46(2)(c)) | Model contractual clauses adopted by the European Commission; four modules cover C2C, C2P, P2P, P2C scenarios | Revised SCCs adopted June 2021; new SCCs for GDPR-subject data importers expected by Q2 2025 [cite:565][cite:568] |
| Binding Corporate Rules (Art. 47) | Internal rules adopted by a multinational group for intra-group transfers | Must be approved by competent DPA; complex process [cite:574] |
| Certification mechanisms | Approved certification schemes (e.g., Global CBPR) | Emerging mechanism; scalable for cross-border transfers [cite:574] |
| Derogations (Art. 49) | Specific exceptions: explicit consent, contract necessity, public interest, legal claims, vital interests | Limited to occasional, non-systematic transfers; not suitable for large-scale ongoing transfers [cite:574] |
Transfer Impact Assessment (TIA)
Following the Schrems II decision (2020), organisations using SCCs must conduct a Transfer Impact Assessment evaluating whether the laws of the recipient country provide adequate protection, and implement supplementary measures if they do not [cite:574][cite:577].
GDPR - What It Requires - Automated Decision-Making and AI (Article 22)
Article 22 directly restricts AI-driven processing that produces legal or similarly significant effects on individuals [cite:566][cite:572].
The Restriction
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them [cite:572][cite:569].
Exceptions
Automated decision-making is permitted only when [cite:572]:
- (a) It is necessary for entering into or performing a contract
- (b) It is authorised by EU or member state law with suitable safeguards
- (c) The data subject has given explicit consent
Safeguards Required
When automated decisions are permitted under exceptions (a) or (c), the controller must [cite:572][cite:566]:
- Implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests
- Provide at minimum the right to obtain human intervention from the controller
- Enable the data subject to express their point of view
- Allow the data subject to contest the decision
AI Implications
For any AI system processing personal data of EU residents and producing legal/significant effects [cite:569][cite:566]:
- Meaningful human oversight must be built into the decision pipeline — purely automated decisions require explicit legal basis
- Transparency about the logic involved, significance, and envisaged consequences must be provided to data subjects (Art. 13(2)(f), 14(2)(g))
- DPIAs are mandatory for systematic/extensive automated profiling with legal/significant effects (Art. 35(3)(a))
- Special categories (Art. 9 data) cannot be used in automated decisions unless Art. 9(2)(a) or (g) exceptions apply with suitable safeguards [cite:572]
- Fairness and non-discrimination — the principles of lawfulness, fairness, and transparency require that automated decisions do not produce discriminatory outcomes [cite:569]
This creates a direct regulatory requirement for AI governance frameworks (NIST AI RMF, ISO 42001, EU AI Act) to address GDPR Article 22 compliance as part of their implementation [cite:569].
GDPR - Governance Implications
GDPR is fundamentally a governance regulation — it does not prescribe specific technologies but requires organisations to implement and demonstrably maintain a governance system for personal data protection [cite:536][cite:520].
Accountability Architecture
The accountability principle (Art. 5(2)) and controller obligations (Art. 24) create a governance architecture requiring [cite:536]:
- Documented policies and procedures for data protection
- Records of processing activities (Art. 30)
- Data protection impact assessments (Art. 35)
- Data protection by design and default (Art. 25)
- Appointment of DPO where required (Art. 37–39)
- Data breach notification procedures (Art. 33–34)
- Regular review and updating of measures
Ontic BOM Mapping
- model — AI/ML models processing personal data of EU residents must comply with Article 22 (automated decision-making restrictions), Article 25 (data protection by design), and Article 35 (DPIA for high-risk AI processing). Model governance must include fairness evaluation, explainability mechanisms, and human oversight provisions. The GDPR's "right to explanation" (Art. 13–15) requires meaningful information about the logic involved in automated decisions [cite:566][cite:569]
- oracle — Personal data registers, records of processing activities (Art. 30), consent records, data subject request logs, breach registers, and DPIA documentation are GDPR-mandated oracle data. Their accuracy, completeness, and currency are legally required under the accountability principle [cite:536]
- ontology — GDPR defines a specific taxonomy: personal data categories, special categories, processing activities, lawful bases, data subject rights, controller/processor roles, and transfer mechanisms. This taxonomy enables automated compliance checking, cross-framework mapping (GDPR ↔ ISO 27001 ↔ ISO 27701), and consistent regulatory reporting [cite:536]
- system_prompt — For AI systems where prompt configurations influence data processing behaviour (content moderation, customer service bots, recommendation systems), prompt design is a GDPR governance artefact. Prompts that determine what personal data is collected, how it is processed, and what decisions are made must be documented, assessed for compliance, and subject to change management [cite:569]
- gate — GDPR creates regulatory gates: DPIA before high-risk processing (Art. 35), DPA consultation before processing that remains high-risk after mitigation (Art. 36), lawful basis determination before any processing (Art. 6), consent before consent-based processing (Art. 7), and Transfer Impact Assessment before international transfers. These gates are non-negotiable — processing without clearing the required gate is unlawful [cite:541][cite:574]
- security — Article 32 TOMs, encryption requirements, access controls, breach detection and notification, and incident response directly map to the security BOM component. ISO 27001 provides the operational framework; GDPR provides the legal mandate [cite:570][cite:573]
- signed_client — Consent records, DPIA approvals, data processing agreements (Art. 28), DPO designation, and breach notifications require authenticated, traceable documentation. The accountability principle demands provable compliance — organisations must demonstrate (not merely assert) that they comply [cite:536]
E/A/D Axis Integration
| E/A/D Axis | GDPR Articles | Hallmarks | Evidence |
|---|---|---|---|
| Ethical (E) | Art. 5 (processing principles — lawfulness, fairness, transparency), Art. 25 (data protection by design and default), Art. 22 (automated decision-making rights), Art. 35 (DPIA) | Personal data protection is a fundamental right (EU Charter Art. 8); fairness and transparency are legal obligations, not aspirations; individuals have the right to contest automated decisions; high-risk processing requires proactive impact assessment | Privacy notices, lawful basis documentation, DPIA reports, Art. 22 safeguard documentation, fairness assessments for automated processing [cite:536][cite:566] |
| Accountable (A) | Art. 5(2) (accountability principle), Art. 24 (controller obligations), Art. 30 (ROPA), Art. 37–39 (DPO), Art. 28 (processor agreements) | Controllers must demonstrate compliance — the burden of proof is on the organisation; DPO appointment creates independent oversight; records of processing create the accountability register; processor agreements extend accountability through the supply chain | ROPA, DPO appointment records, processor agreements, data protection policies, privacy governance framework documentation, training records [cite:536][cite:520] |
| Defensible (D) | Art. 33–34 (breach notification), Art. 58 (supervisory authority powers), Art. 83 (administrative fines), Art. 35–36 (DPIA + prior consultation), Art. 40–43 (codes of conduct and certification) | 72-hour breach notification creates a documented response trail; DPIAs provide pre-processing risk evidence; codes of conduct and certification (e.g., ISO 27701) create independently verified compliance evidence; the accountability principle makes documentation the primary defense | Breach notification records, DPIA documentation, certification certificates, code of conduct adherence documentation, supervisory authority correspondence, data protection audit reports [cite:543][cite:570] |
GDPR - Enforcement Penalties
Two-Tier Penalty Structure (Article 83)
| Tier | Maximum Fine | Applicable Violations |
|---|---|---|
| Lower tier | Up to €10 million or 2% of global annual turnover, whichever is higher | Controller/processor obligations (Art. 8, 11, 25–39, 42, 43); certification body obligations [cite:543] |
| Upper tier | Up to €20 million or 4% of global annual turnover, whichever is higher | Processing principles (Art. 5–7, 9); data subject rights (Art. 12–22); international transfers (Art. 44–49); member state law requirements [cite:543] |
Enforcement Statistics (Through March 2025)
| Metric | Value |
|---|---|
| Total fines imposed | €5.65 billion [cite:537] |
| Total number of fines | 2,245 [cite:537] |
| Average fine | €2,360,409 across all countries [cite:537] |
| Largest single fine | €1.2 billion — Meta (insufficient legal basis for data transfers, May 2023) [cite:537] |
Top 10 Fines (All Time)
| Controller | Country | Fine (EUR) | Violation | Year |
|---|---|---|---|---|
| Meta (data transfers) | Ireland | €1,200,000,000 | Insufficient legal basis for data processing | 2023 [cite:537] |
| Amazon | Luxembourg | €746,000,000 | Non-compliance with general data processing principles | 2021 [cite:534][cite:537] |
| Meta (Instagram) | Ireland | €405,000,000 | Non-compliance with general data processing principles | 2022 [cite:534][cite:537] |
| Meta (Facebook/Instagram) | Ireland | €390,000,000 | Non-compliance with general data processing principles | 2023 [cite:534][cite:537] |
| TikTok | Ireland | €345,000,000 | Non-compliance with general data processing principles | 2023 [cite:534][cite:537] |
| Ireland | €310,000,000 | Insufficient legal basis for data processing | 2024 [cite:540][cite:537] | |
| Meta (Facebook) | Ireland | €265,000,000 | Insufficient TOMs (data scraping) | 2022 [cite:534][cite:537] |
| Meta (Facebook breach) | Ireland | €251,000,000 | Insufficient TOMs | 2024 [cite:540] |
| Ireland | €225,000,000 | Insufficient information obligations | 2021 [cite:534] | |
| Meta (passwords) | Ireland | €91,000,000 | Insufficient security measures | 2024 [cite:540] |
Most Common Violation Categories
| Violation Category | Cumulative Fines |
|---|---|
| Insufficient legal basis for data processing | Billions (includes Meta €1.2B, Amazon €746M) [cite:537] |
| Non-compliance with general data processing principles | Billions (multiple Meta, TikTok actions) [cite:537] |
| Insufficient technical and organisational measures | €883M+ (includes Meta €265M, numerous smaller fines) [cite:543] |
| Insufficient fulfilment of information obligations | €252M+ (includes WhatsApp €225M) [cite:543] |
| Insufficient fulfilment of data subjects' rights | €103M+ [cite:543] |
GDPR - Intersection With Other Frameworks
ISO 27001 — The Tightest Intersection
GDPR and ISO 27001 are highly complementary — ISO 27001 provides the management system and security controls, GDPR provides the legal framework and data subject rights requirements [cite:535][cite:538].
| GDPR Requirement | ISO 27001 Alignment |
|---|---|
| Art. 32 — Security of processing | Entire ISMS; Annex A controls [cite:573] |
| Art. 25 — Data protection by design | Risk assessment methodology; control selection process [cite:538] |
| Art. 35 — DPIA | Risk assessment (Clause 6.1.2) extended to data subject harm [cite:538] |
| Art. 30 — Records of processing | Clause 7.5 documented information [cite:535] |
| Art. 33–34 — Breach notification | Annex A.5.24–5.28 (incident management) [cite:538] |
| Art. 5(2) — Accountability | Clause 9 (performance evaluation); Clause 10 (improvement); certification [cite:535] |
| Art. 28 — Processor agreements | Annex A.5.19–5.23 (supplier relationships) [cite:573] |
ISO 27701 — Privacy Extension
ISO 27701:2019 extends ISO 27001 with privacy-specific requirements, creating a Privacy Information Management System (PIMS) [cite:573]:
- Maps ISO 27001 controls to GDPR requirements
- Adds privacy-specific controls for controllers and processors
- Provides certifiable framework for demonstrating GDPR compliance
- Designed to be implemented as an extension to an existing ISO 27001 ISMS
Other Framework Intersections
| Framework | Intersection With GDPR |
|---|---|
| ISO 42001 | AI management system must address GDPR Art. 22 (automated decision-making), Art. 25 (privacy by design), Art. 35 (DPIA for AI) [cite:569] |
| NIST AI RMF | Privacy-enhanced characteristic maps to GDPR privacy requirements; MAP 5 (impact identification) aligns with DPIA [cite:513] |
| NIST CSF 2.0 | Protect function (access control, data security) maps to Art. 32 TOMs; Identify function maps to Art. 30 records and Art. 35 DPIA |
| SOC 2 | Privacy trust services criterion directly addresses GDPR-type requirements; security criterion maps to Art. 32 |
| HIPAA | Both regulate processing of sensitive personal/health data; GDPR's broader scope encompasses HIPAA-equivalent protections for EU residents with additional rights |
| PCI DSS | Payment card data is personal data under GDPR; PCI DSS controls satisfy Art. 32 requirements for payment processing contexts |
| EU AI Act | Art. 22 GDPR provides existing legal basis for AI restrictions; EU AI Act adds risk-tiered AI-specific requirements; both apply simultaneously to AI processing personal data in the EU [cite:569] |
| CCPA/CPRA | California's privacy law; narrower scope than GDPR but converging requirements; organisations complying with GDPR typically satisfy most CCPA requirements |
| ISO 37301 | Compliance management system provides the governance framework for managing GDPR as a compliance obligation [cite:325] |
GDPR - Recent Updates
Enforcement Trends (2024–2025)
- 2024 saw three fines in the hundreds of millions: LinkedIn (€310M), Meta (€251M for 2018 breach), Meta (€91M for plaintext passwords) [cite:537][cite:540]
- Cumulative fines crossed €5.65 billion by March 2025 — a €1.17 billion increase from the previous year's report [cite:537]
- DPAs are increasingly scrutinising legitimate interest claims as legal bases, particularly for behavioural advertising and analytics [cite:540]
- Clearview AI fined €30.5M by Dutch DPA for building illegal facial recognition database from scraped images — signaling aggressive enforcement against AI-driven mass surveillance [cite:540]
EU-US Data Privacy Framework (2023)
The EU-US Data Privacy Framework (DPF), adopted July 2023, provides an adequacy decision for transfers to US organisations that self-certify under the framework [cite:574][cite:577]. This replaced the invalidated Privacy Shield, but faces ongoing legal challenges and uncertainty about long-term stability.
New Standard Contractual Clauses (2024–2025)
The European Commission launched a consultation in Q4 2024 for new SCCs specifically addressing transfers where the data importer in a third country is already subject to GDPR under Article 3(2) — a scenario the existing 2021 SCCs do not cover [cite:565][cite:568].
AI and GDPR Convergence
- The EU AI Act (effective August 2024, with phased compliance deadlines through 2027) operates alongside GDPR — AI systems processing personal data in the EU must comply with both regulations simultaneously [cite:569]
- EDPB has issued multiple opinions on the intersection of GDPR and AI, particularly regarding lawful basis for training data, automated decision-making under Art. 22, and DPIAs for high-risk AI systems [cite:569]
- National DPAs (particularly Italy's Garante) have taken enforcement action against AI systems (ChatGPT temporary ban, 2023) for GDPR violations including transparency, lawful basis, and children's data protection [cite:540]
Breach Notification Enforcement
DPAs are enforcing the 72-hour breach notification requirement (Art. 33) more strictly, with fines for both late notification and incomplete notification. Meta's 2024 €251M fine included violations for failing to fully document and notify a 2018 breach affecting 29 million users