What Is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, in force since 25 May 2018 (Regulation (EU) 2016/679). It governs how organizations collect, store, use, and share the personal data of people in the EU --- and gives those people enforceable rights over their own data. Like the laws that followed it, the GDPR applies extraterritorially: any organization anywhere in the world that processes the personal data of people in the EU must comply, which is why it became the de facto global baseline for data privacy.

GDPR matters because it changed data protection from a compliance footnote into a board-level obligation with real teeth --- fines reach the tens of millions of euros or a percentage of global turnover. But beyond the penalties, it reframed personal data as something organizations hold in trust rather than own outright. Its lasting operational consequence is simple: you cannot protect, justify, or delete personal data you cannot find, classify, and trace --- which makes GDPR, underneath the legal language, a data governance problem.

GDPR Defined

The GDPR is a regulation --- directly binding across all EU and EEA member states without national transposition. It protects "personal data," defined broadly as any information relating to an identified or identifiable living person, and regulates its "processing" --- essentially any operation performed on that data, from collection to deletion. Its scope is deliberately wide: a name, an email, an IP address, a location, or an online identifier can all be personal data.

Its defining characteristics:

• Rights-based --- It centers on the rights of the individual (the "data subject"), not just the obligations of organizations.
• Principle-led --- Compliance flows from seven high-level principles rather than a checklist of narrow rules.
• Extraterritorial --- It applies to any organization processing the personal data of people in the EU, wherever that organization is based.
• Accountability-driven --- Organizations must not only comply but be able to demonstrate compliance with documented evidence.

The Seven Principles

Article 5 sets out seven principles that underpin everything else in the regulation. Every processing activity must satisfy all of them.

1. Lawfulness, fairness & transparency. Process data legally, fairly, and in a way people can understand.
2. Purpose limitation. Collect data for specified, explicit purposes and don't repurpose it incompatibly.
3. Data minimisation. Collect only what you actually need.
4. Accuracy. Keep data correct and up to date.
5. Storage limitation. Don't keep data longer than necessary.
6. Integrity & confidentiality. Secure data against unauthorized access, loss, or damage.
7. Accountability. Be able to demonstrate compliance with all of the above --- the principle that turns the others into documented practice.

Data Subject Rights

The GDPR grants individuals eight enforceable rights over their personal data. Honouring them is impossible without knowing exactly what personal data you hold and where:

• Right to be informed --- about how their data is used.
• Right of access --- to obtain a copy of their data (a "subject access request").
• Right to rectification --- to correct inaccurate data.
• Right to erasure --- the "right to be forgotten."
• Right to restrict processing --- to pause use of their data.
• Right to data portability --- to receive and reuse their data across services.
• Right to object --- to certain processing, including direct marketing.
• Rights around automated decision-making --- safeguards against solely automated decisions with significant effects.

The right to erasure and the right of access are the operational stress test: an organization that cannot locate every copy of a person's data across its systems cannot satisfy either. This is where lineage and a complete catalog stop being nice-to-haves.

Roles, Bases & Penalties

Lawful basis. Every processing activity needs one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. "We had the data" is never, by itself, a justification.

Roles. The GDPR assigns responsibility by role:

• Controller --- decides why and how personal data is processed; carries primary accountability.
• Processor --- processes data on the controller's behalf (e.g. a cloud vendor), under a contract.
• Data Protection Officer (DPO) --- required for many organizations; oversees data protection and is the contact point for regulators.

Penalties & enforcement. Infringements carry fines up to -��20 million or 4% of total worldwide annual turnover, whichever is higher (a lower tier of -��10M/2% applies to lesser breaches). National supervisory authorities (DPAs) enforce the regulation, coordinated by the European Data Protection Board (EDPB), and serious data breaches must be reported within 72 hours. The GDPR also constrains transfers of personal data outside the EU --- the subject of data sovereignty.

GDPR & Data Governance

Strip away the legal vocabulary and GDPR compliance reduces to a set of capabilities that are pure data governance. You cannot minimise data you haven't inventoried, honour an erasure request without knowing every place a person's data lives, demonstrate accountability without documentation, or prove a lawful basis without records of processing. Each requirement maps directly onto a governance capability:

• A data catalog provides the inventory --- what personal data exists and where --- without which no other GDPR obligation can be met.
• Data classification identifies and tags personal and sensitive data so it can be protected and located on demand.
• Data lineage traces where personal data flows, which is what makes subject access, erasure, and breach impact analysis tractable.
• Data masking and access controls operationalize the integrity-and-confidentiality principle.
• Clear ownership assigns the accountability the regulation demands.

This is exactly the gap Dawiso fills for privacy teams: the catalog, classification, and lineage that turn GDPR's abstract obligations into things you can actually do and evidence. The DPO sets the policy; the governance platform is what lets the organization honour it. The same foundation also underpins the EU AI Act, DORA, and NIS2 --- govern your data once, and you satisfy many regimes at once.

Conclusion

GDPR turned personal data into a regulated asset held in trust, with rights for individuals and accountability for organizations. Nearly a decade on, its deepest lesson is operational rather than legal: compliance is downstream of governance. Organizations that know where their personal data lives, what it is, and where it flows meet GDPR almost as a by-product; those that don't face every subject access request and every audit as a fire drill. The regulation is the requirement --- governed data is the answer.