The European framework for personal data protection and privacy rights.
The General Data Protection Regulation (GDPR) is the European Union's primary data protection legislation, applying to all organizations that process personal data of EU/EEA data subjects — regardless of where the organization is located. It establishes rights for individuals and obligations for organizations, backed by significant financial penalties for non-compliance.
Documentation obligations under GDPR are substantial and specific: Organizations must maintain Records of Processing Activities (RoPA), demonstrate lawful basis for each processing activity, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, and document responses to Data Subject Requests. The principle of accountability requires that organizations not only comply with GDPR but are able to demonstrate compliance on demand.
Privacy notices documenting what personal data is collected, why, how long it is retained, and with whom it is shared.
Documented processes for handling access, erasure, restriction, and portability requests within 30-day timelines.
Data Processing Agreements (DPAs) with all processors handling personal data on behalf of the controller.
Records of Processing Activities (RoPA) documenting all processing activities, purposes, categories, and retention periods.
Data Protection Impact Assessments for high-risk processing activities, with DPO consultation documentation.
DPO appointment documentation, independence evidence, and contact detail publication.
Templates and implementation resources for GDPR / EU Data Protection are available through the ELDR Institute Knowledge Hub and via direct request.