In a nutshell
GDPR (and UK GDPR) sets the rules for collecting, storing and using personal data about people in the EU and UK. It gives individuals strong rights and regulators sharp teeth.
The case for action
Why your organisation needs GDPR
The upside
What your organisation gains
Avoid fines of up to €20m or 4% of global turnover.
Build customer trust through transparent data practices.
Reduce breach impact with a clear incident-response playbook.
Make marketing, HR and product teams safer by default.
Scope
Who it covers — and where
Who it applies to
Any organisation anywhere that processes personal data of people in the EU or UK — including SMEs, charities, and sole traders.
Where it applies
EU, UK, and any organisation worldwide targeting EU/UK individuals.
Timing
When you need to act
In force since May 2018. Compliance is continuous — not a one-off project.
The path forward
Your roadmap to compliance
A practical journey — not a bureaucratic checklist. Tackle these stages in order and you'll move from "we should look into this" to ready.
- 1
Map your personal data — what you hold, why, where and for how long.
- 2
Identify a lawful basis for each processing activity.
- 3
Update your privacy notices and cookie banners.
- 4
Sign data processing agreements with all vendors.
- 5
Set up processes for data subject requests (access, deletion, etc.) within 30 days.
- 6
Train staff and run a basic breach response drill.
- 7
Appoint a DPO if required.
Reality check
Common struggles (and how to fix them)
The struggle
Marketing teams use tools that leak data outside the EU.
The fix
Maintain a vendor register and check for SCCs or UK IDTA on every new tool.
The struggle
Subject access requests overwhelm small teams.
The fix
Build a simple intake template and 30-day workflow before you get your first one.
Quick answers
Frequently asked questions
Need a head start on GDPR?
Use our ready-to-go tools and templates to skip the blank page.
Browse the storeRate this guide
Be the first to rate.