Menu
Key facts
- Controls
- 99 articles across 11 chapters; ~78 enforceable obligations
- Recertification cycle
- Continuous regulatory compliance (no expiry)
- Ongoing oversight
- DPA-led investigations, typically triggered by complaints or reported breaches
- Common gap categories
- Lawful basis documentation (Art 6); Data subject rights workflows (Art 12β22); Records of Processing Activities (Art 30); Data Protection Impact Assessments (Art 35); International transfer mechanisms (Chapter V, SCCs)
- Related standards
What is GDPR?
The EU General Data Protection Regulation (European Parliament and Council, enforced May 25, 2018) governs the collection, processing, and transfer of personal data of EU and EEA residents. It applies to any organization worldwide that handles such data.
Is GDPR a certification or an attestation?
GDPR is a regulation, not a certification framework. There is no issuing body that grants a GDPR certification. Article 42 allows for voluntary national certification schemes approved by supervisory authorities, but no pan-EU scheme exists at scale. Compliance is self-attested and enforced by national Data Protection Authorities (DPAs).
Who needs GDPR?
Required implicitly by any company with EU customers, employees, or data subjects. Most commonly demanded as a contractual prerequisite by European enterprise buyers, SaaS procurement teams, and any company signing EU Standard Contractual Clauses.
What does GDPR cost and how long does it take?
Highly variable. SME-to-mid-market initial program build typically β¬30Kββ¬500K+ over 6β18 months, with ongoing costs settling near 35β40% of year-one spend.
GDPR cost ranges span 2β3 orders of magnitude based on company size, data volume, and starting posture. Treat the range as a compliance program investment, not an audit fee.