What Is GDPR? Everything You Need to Know in 2026
Since May 2018, EU regulators have issued €5.88 billion in GDPR fines. That's not a theoretical number - it's real money pulled from real companies, including Meta, Amazon, TikTok, and hundreds of businesses you've never heard of. Regulators now process an average of 363 breach notifications every single day, and the pace isn't slowing down.
Whether you're running a 10-person SaaS startup or managing compliance at a multinational, the General Data Protection Regulation touches your business the moment you interact with anyone in the EU. Here's what the regulation actually requires, who it applies to, what the real penalties look like, and how to stay on the right side of enforcement.
GDPR Defined in Plain English
GDPR stands for General Data Protection Regulation - formally EU Regulation 2016/679. It's the European Union's data protection law, and it's widely considered the toughest privacy and security regulation in the world.
The one-sentence version: GDPR gives EU residents control over their personal data and forces organizations to handle that data responsibly, transparently, and securely.
Adopted in April 2016 and enforced starting May 25, 2018, it applies across all 27 EU member states plus the European Economic Area - Iceland, Liechtenstein, and Norway. It replaced the outdated 1995 Data Protection Directive with a single, directly applicable regulation. In practice, that means the law applies automatically across the EU, while still allowing member states to set additional rules in specific "opening clause" areas like employment, research, and the age of digital consent.
Under the regulation, a data subject is any identified or identifiable natural person whose data is being processed - and the entire framework exists to protect their rights.
The short version:
- What is it? The EU's data protection law - applies to any organization handling EU residents' data, regardless of where you're based.
- Does it apply to me? If you have EU customers, users, or prospects, yes. No size exemption.
- What happens if I ignore it? Fines up to €20M or 4% of global revenue. €5.88 billion in fines issued since 2018.
Why the Regulation Exists
The right to privacy in Europe isn't new. It traces back to the 1950 European Convention on Human Rights, which established privacy as a fundamental right. By 1995, the EU had formalized this into the Data Protection Directive - a decent framework for the pre-internet era that became hopelessly outdated as digital data collection exploded.
The scale of the problem is staggering: over 3.2 billion data breach incidents and exposed records have been tracked across GDPR-covered countries since 2004. The 1995 directive simply couldn't handle modern data processing - cloud computing, social media, ad tech, and cross-border data flows made it obsolete. So the regulation was adopted in 2016 and became enforceable on May 25, 2018, creating a single, binding framework with real teeth: massive fines, extraterritorial reach, and individual rights that companies can't ignore.
Who Does GDPR Apply To?
Here's where most companies get it wrong: the regulation doesn't care where your headquarters are. It cares where your users are.
This is one of the most common confusion points we see - US companies routinely assume it doesn't apply to them because they have no EU office. The consensus on r/startups and r/legaladvice threads backs this up: founders are constantly surprised to learn their SaaS tool with a handful of European users triggers full compliance obligations.
The regulation applies to two categories of organizations. Controllers decide why and how personal data gets processed - that's you if you collect customer emails, run analytics, or build prospect lists. Processors handle data on a controller's behalf - think your CRM vendor, email service provider, or cloud hosting company. Both have obligations, though controllers carry the heavier burden.
The extraterritorial reach is the part that catches US companies off guard. If you offer goods or services to people in the EU, or if you monitor their behavior through website analytics, ad tracking, or behavioral profiling, the regulation applies to you. Uber learned this the hard way - the Dutch DPA hit them with a €290 million fine in 2024 for transferring EU taxi driver data to the US without adequate protections.
There's no size-based exemption either. A five-person startup processing EU customer data has the same core obligations as a Fortune 500 company. The scale of your compliance program will differ, but the legal requirements don't.
For US companies specifically, the EU-U.S. Data Privacy Framework, established in July 2023 and upheld by the European General Court in September 2025, provides a mechanism for transatlantic data transfers. But it doesn't exempt you from compliance - it just gives you a legal pathway for moving data across the Atlantic.
What Counts as Personal Data?
GDPR defines personal data broadly - much broader than the American concept of "PII." Any information that can identify a natural person, directly or indirectly, counts. The obvious examples: names, email addresses, phone numbers, physical addresses. But it also includes IP addresses, cookie identifiers, device IDs, biometric data, and even pseudonymized data if it can be traced back to an individual.
The regulation also designates special category data - health records, biometric identifiers, political opinions, sexual orientation, and religious beliefs - which requires even stricter protections under Article 9. Processing this data is prohibited unless a specific exception applies, such as explicit consent or substantial public interest.
One distinction that matters for B2B teams: a company's general info@ email isn't personal data. But john.smith@company.com is, because it identifies a specific individual. Same goes for a person's job title paired with their company name - if the combination identifies someone, it's personal data.
This broad definition is intentional. It ensures that companies can't dodge compliance by arguing that cookie IDs or hashed emails aren't "really" personal data.
The 7 Data Protection Principles
Article 5 lays out seven principles that govern all data processing. Every compliance decision you make flows from these.
| Principle | What It Means | Common Violation |
|---|---|---|
| Lawfulness, fairness, transparency | Have a legal basis; be upfront about data use | No documented basis (biggest driver of fine value) |
| Purpose limitation | Collect for a specific, stated reason | Repurposing data for marketing |
| Data minimization | Only collect what you actually need | Requiring phone numbers for newsletters |
| Accuracy | Keep data correct and up to date | Stale contact databases |
| Storage limitation | Don't keep data longer than necessary | Never deleting inactive accounts |
| Integrity and confidentiality | Protect data with appropriate security | Weak technical measures (29% of cases) |
| Accountability | Prove you're compliant, don't just claim it | No compliance documentation |
Two stats put this in perspective: insufficient legal basis for processing accounts for 90% of total fine value, and insufficient technical and organizational measures is the single most frequent violation, showing up in 29% of all enforcement cases. The principles aren't abstract - they're what regulators actually enforce.
Lawful Bases for Processing
The regulation gives you six legal bases under Article 6 for processing personal data. You need at least one before you touch any EU resident's data - and you can't switch bases after the fact.
Consent - The individual actively opts in. Must be freely given, specific, informed, and unambiguous. No pre-checked boxes. Can be withdrawn at any time.
Contract - Processing is necessary to fulfill a contract. Example: shipping address to deliver a product.
Legal obligation - You're required by law to process the data. Example: employee tax records.
Vital interests - Processing is necessary to protect someone's life. Example: sharing medical data in an emergency.
Public task - Processing is necessary for a task in the public interest. Example: census data.
Legitimate interest - The most flexible and most debated basis. Requires a three-part test: legitimate purpose, necessary processing, and the individual's rights don't override your interest. Must be documented with a legitimate interest assessment. Example: B2B cold outreach to relevant professional contacts.
For most B2B sales and marketing teams, the choice comes down to consent or legitimate interest.
Your Rights Under GDPR
The regulation gives EU residents a set of enforceable rights over their personal data. Organizations must respond to data subject access requests (DSARs) within one month.
- Right of access - Ask any company what data they hold on you and get a copy
- Right to rectification - Demand correction of inaccurate data
- Right to erasure - The "right to be forgotten" - request deletion when data is no longer necessary or you withdraw consent
- Right to data portability - Request your data in a machine-readable format and transfer it elsewhere
- Right to object - Object to processing based on legitimate interest or direct marketing at any time
- Right to restrict processing - Ask a company to stop processing while a dispute is resolved
- Rights related to automated decisions - Request human review of decisions made solely by algorithms that significantly affect you
Ignoring or delaying DSARs is one of the easiest enforcement wins for regulators. Late or incomplete responses account for a meaningful share of fines - and they're entirely preventable with a basic intake process.
Stale contact databases violate GDPR's accuracy principle. Prospeo refreshes all 300M+ records every 7 days - not the 6-week industry average - so your prospect data stays current, compliant, and deliverable with 98% email accuracy.
Stop risking fines on outdated data. Start with verified contacts.
Penalties and Real Fines
Two Tiers
Penalties operate on two tiers. The lower tier - up to €10 million or 2% of global annual turnover, whichever is higher - covers violations related to record-keeping, data processing agreements, and breach notification failures. The upper tier - up to €20 million or 4% of global annual turnover - applies to violations of core principles, lawful basis requirements, and data subject rights.
Enforcement is proportional. A small business that mishandles a few customer records isn't getting a Meta-sized fine. Regulators consider the nature of the violation, its severity, the number of people affected, and whether the company cooperated. But "we're small" isn't a defense - it just means the fine will be smaller, not zero.
The Biggest Fines to Date
| Company | Amount | Year | Violation |
|---|---|---|---|
| Meta | €1.2B | 2023 | EU-to-US data transfers |
| Amazon | €746M | 2021 | Ad targeting without consent |
| TikTok | €530M | 2025 | Data transfer violations |
| Meta (Instagram) | €405M | 2022 | Children's data handling |
| Meta | €390M | 2023 | Forced consent via ToS |
| €310M | 2024 | Behavioral ad targeting | |
| Uber | €290M | 2024 | EU driver data transfers |
| Meta | €265M | 2022 | 533M-user data leak |
| €200M | 2025 | Data protection violations | |
| SHEIN | €150M | 2025 | Data protection violations |
In 2025 alone, companies faced nearly €1.15 billion across 330+ fines. The most frequent violation - insufficient technical and organizational measures - accounted for 29% of cases, up 40% from 2024. But the most expensive violation type was insufficient legal basis for processing, responsible for 90% of total fine value at €1.03 billion.
Ireland has emerged as the preeminent enforcer, issuing €3.5 billion in fines since 2018 - four times more than second-placed Luxembourg. That's largely because Meta, TikTok, LinkedIn, and other tech giants have their EU headquarters in Dublin, putting them under the Irish Data Protection Commission's jurisdiction.
GDPR Compliance Checklist
Initial compliance setup typically costs SMEs €50,000-€200,000 depending on complexity - but the cost of non-compliance is orders of magnitude higher. Here's what a solid compliance program covers.
Lawful Basis and Transparency
Start with an information audit. Map every piece of personal data you collect, where it comes from, where it goes, and why you have it. Then document your legal justification for each processing activity - one of the six Article 6 bases. This documentation isn't optional; it's what regulators ask for first.
Your privacy policy needs to be clear, specific, and written in plain language. Generic templates won't cut it. It should explain what data you collect, why, how long you keep it, who you share it with, and how individuals can exercise their rights.
Data Security
Build privacy into your systems from the start - that's what "privacy by design and by default" means in practice. Encrypt and pseudonymize data where possible. Create an internal security policy that covers access controls, incident response, and regular testing.
Conduct Data Protection Impact Assessments (DPIAs) for any processing that's likely to result in high risk to individuals. And if a breach happens, you've got 72 hours to notify your supervisory authority - not 72 hours to start figuring out what happened.
Governance
Assign someone to own compliance. For most small businesses, a DPO isn't legally required - it's mandatory only if your core activities involve large-scale systematic monitoring or processing sensitive data at scale. But someone needs to be responsible, even if it's the founder wearing another hat.
Sign Data Processing Agreements with every third-party processor - your CRM, email provider, analytics tools, freelancers. If you're based outside the EU but process EU data, appoint an EU representative. Organizations with 250+ employees must maintain detailed records of processing activities, though smaller companies should do this too.
Privacy Rights
Build a process for handling DSARs before you receive one. Verify the requester's identity, respond within one month, and provide data in a commonly used format for portability requests. Keep records of consent that include IP addresses, timestamps, and the specific form version used.
Set data retention schedules and stick to them. Delete support tickets after two years. Remove inactive newsletter subscribers after one year. The principle is simple: if you don't need it anymore, get rid of it.
Mistakes That Get Companies Fined
More than €5 billion in fines have come from basic compliance failures - not sophisticated cyberattacks. Here are the ten mistakes we see most often:
No documented lawful basis. This single failure accounts for 90% of total fine value. If you can't point to a written justification for why you're processing data, you're exposed.
Treating data protection as IT-only. The regulation spans legal, operational, and cultural dimensions. Dumping it on the IT team is how compliance gaps form.
Poor supplier due diligence. No audit rights in your vendor contracts? That's a problem. When your processor screws up, you're on the hook too.
Outdated privacy notices. If your privacy policy still references the 1995 Directive or hasn't been updated since 2018, regulators notice.
Weak breach response. If you can't detect, assess, and notify within 72 hours, you're adding a procedural violation on top of the breach itself.
Over-collecting data. Orange SA got hit with €50 million for displaying ads in customer email inboxes without valid consent. Data minimization isn't a suggestion.
Excessive employee access. This is the leading cause of accidental breaches. Not everyone needs access to everything.
Neglecting staff training. Untrained employees are your biggest vulnerability. Regular, practical training prevents the majority of accidental violations.
Ignoring DSARs. Jubel.be, a Belgian SME, was fined €15,000 for setting cookies without consent and providing no opt-out. Late or incomplete DSAR responses are easy enforcement wins for regulators.
No privacy by design. Amazon's €746 million fine came partly from making refusal of tracking unnecessarily complicated. Bolting privacy on after launch is always more expensive than building it in from the start.
Impact on Marketing and B2B Outreach
Let's be honest: cold email isn't banned under the regulation - but it requires a lawful basis, and you need to get the details right. The rules apply whenever you're processing personal data to send those emails, which covers virtually every B2B outreach scenario involving named contacts.
Two legal bases work for B2B cold outreach: explicit consent and legitimate interest. Most B2B teams rely on legitimate interest, which requires a documented assessment covering three tests: you have a legitimate purpose, the processing is necessary to achieve it, and the recipient's privacy rights don't override your interest.
Every cold email must identify the sender, state its purpose, provide an easy unsubscribe mechanism, and explain how you obtained the recipient's data. Data minimization applies - collect only what you need: name, email, company, job title.
There's a second compliance layer most teams forget: the ePrivacy Directive, which governs electronic communications specifically. For existing customers, a "soft opt-in" exception lets you email about similar products or services without explicit consent, as long as you provide a clear opt-out.
The foundation of compliant outreach is your data source. Using purchased lists of questionable origin or scraping data without regard for consent creates immediate compliance risk. We've found that data freshness matters just as much as data accuracy here - stale records generate bounces, which generate unnecessary data processing, which creates exposure. Prospeo's 7-day data refresh cycle and global opt-out enforcement help keep outreach compliant by default rather than by afterthought.
If you're building outbound at scale, it also helps to standardize your sales prospecting techniques and keep your email deliverability clean from day one.
GDPR's data minimization principle means collecting only what you need - and making sure it's right. Prospeo's 5-step verification with spam-trap removal and catch-all handling ensures every email you collect is real, at just $0.01 per lead.
Build GDPR-ready prospect lists without the compliance headaches.
GDPR vs Other Privacy Laws
The EU regulation isn't the only privacy law in the world - 170+ countries have enacted data privacy regulations. But it remains the gold standard, and most other frameworks are measured against it. Scholars call this the "Brussels effect" - the regulation has become the de facto template for global privacy legislation, with laws from Brazil's LGPD to Japan's APPI borrowing directly from its structure.
| GDPR | CCPA/CPRA | UK GDPR | |
|---|---|---|---|
| Scope | EU/EEA residents | California residents | UK residents |
| Consent model | Opt-in | Opt-out | Opt-in |
| Max penalty | €20M / 4% turnover | $7,500 per violation | £17.5M / 4% turnover |
| Data definition | Broad (includes IPs, cookies) | Broad (excluded employee data pre-2023) | Same as EU GDPR (diverging on AI) |
| Extraterritorial | Yes | Yes (revenue threshold) | Yes |
| Enforcer | National DPAs | California AG / CPPA | ICO |
The biggest philosophical difference: the EU requires opt-in consent, while US laws generally follow an opt-out model. In practice, this means EU compliance is stricter by default - if you're compliant with the regulation, you're likely compliant with most other frameworks too.
The US still has no federal privacy law. Twenty-one states have passed their own privacy legislation as of late 2025, creating a patchwork that's increasingly difficult to navigate. The UK, post-Brexit, has started diverging from the EU framework through the Data (Use and Access) Act - lifting the default prohibition on solely automated decision-making where the data isn't special category data, and adding a legitimate interests basis for AI model training.
Skip the UK GDPR rabbit hole if you don't have UK customers. But if you operate in both markets, you'll increasingly need to track two separate compliance frameworks.
If you're comparing compliance across regions, it helps to keep your B2B lead generation stack and data enrichment processes consistent.
What's Changing in 2026
The regulation isn't static. The European Commission published the Digital Omnibus Regulation proposal in November 2025, and it includes significant amendments:
- Breach notification window extends from 72 to 96 hours, with a single entry point for incident reporting
- Pseudonymized data may no longer qualify as personal data in certain circumstances - a major shift
- AI-specific provisions allowing controllers to rely on legitimate interests for AI development, plus new exceptions for processing special category data in AI training
- Cookie rules migrating from the ePrivacy Directive into the regulation itself, with legitimate interest as a potential basis for cookie processing and a requirement that consent refusal be possible with a single click
- DSAR abuse ground - a new basis for refusing or charging fees when data subjects abuse their rights for purposes unrelated to data protection
- DPIA simplification through EU-level lists of processing that does and doesn't require impact assessments
Separately, the Dutch DPA is investigating whether Clearview AI directors can be held personally liable for violations - a potential shift that could extend enforcement beyond corporate entities to the individuals running them.
These proposals still need to pass through European Parliament and Council negotiations, so the final text will differ. But the direction is clear: the EU is trying to balance data protection with innovation, particularly around AI.
Here's the thing: compliance isn't actually that hard for most businesses. The companies getting fined aren't victims of an impossibly complex regulation - they're companies that never documented their lawful basis, never updated their privacy policy, or never built a process for handling data requests. The bar is "be thoughtful and document what you do." Most of that €5.88 billion in fines could've been avoided with a few weeks of focused compliance work.
GDPR FAQ
What does GDPR stand for?
General Data Protection Regulation - formally EU Regulation 2016/679. It was adopted in 2016 and has been in force since May 25, 2018, applying across all 27 EU member states plus the EEA.
Does GDPR apply to US companies?
Yes, if they offer goods or services to EU residents or monitor their behavior. The EU-U.S. Data Privacy Framework provides a legal mechanism for data transfers but doesn't exempt US companies from compliance obligations.
What's the maximum fine?
€20 million or 4% of global annual turnover, whichever is higher. The largest fine to date is Meta's €1.2 billion in 2023 for transferring EU user data to the US without adequate protections.
Do small businesses need to comply?
Yes - there's no size-based exemption. A 5-person startup processing EU residents' personal data has the same core legal obligations as a Fortune 500 company. The scope of your compliance program scales with your data processing volume, but the requirements are identical.
Can I send cold emails under GDPR?
Yes, provided you have a lawful basis - typically legitimate interest for B2B outreach. You must document a legitimate interest assessment, provide an easy opt-out, and use verified data from a reputable, compliant source to minimize risk from stale or inaccurate contact information.