GDPR: The Practitioner's Guide

What the GDPR Is and Why It Still Matters

The General Data Protection Regulation (GDPR, Regulation 2016/679) came into force on May 25, 2018. Eight years later, it remains the most consequential piece of privacy legislation ever enacted. Over 2,800 fines have been issued totalling more than 6.2 billion EUR. The largest single fine, 1.2 billion EUR against Meta, landed in May 2023.

The GDPR is a directly applicable EU regulation. It replaced the 1995 Data Protection Directive and introduced a single, binding framework across the EU. Its territorial reach under Article 3 applies to any organisation established in the EU, but also to any organisation outside the EU that targets EU residents or monitors their behaviour.

Key takeaway: The GDPR applies based on where data subjects are located, not just where the controller is based. Article 3 is the first thing to check in any cross-border matter.

The Seven Principles (Article 5)

Article 5 sets out seven principles for processing personal data. Courts and regulators treat these as the interpretive backbone of the entire regulation.

Lawfulness, fairness, and transparency. Processing must have a legal basis, must not deceive or harm data subjects, and must be communicated clearly.

Purpose limitation. Data collected for one purpose cannot be freely repurposed. The original purpose constrains future use.

Data minimisation. Collect only what you need. "Just in case" is not a valid reason.

Accuracy. Controllers must keep personal data accurate and up to date.

Storage limitation. Retention periods must be defined and justified. Organisations cannot hold data indefinitely.

Integrity and confidentiality. Security is a principle, not just a technical question. Article 5(1)(f) requires appropriate technical and organisational measures.

Accountability. Controllers must be able to demonstrate compliance, not just assert it. Documentation, DPIAs, and records of processing are required.

Key takeaway: Article 5(2) places the burden of proof on the controller. If you cannot show compliance, you are not compliant.

The Six Legal Bases (Article 6)

Every act of processing requires a legal basis. Article 6 provides six options. You cannot switch bases mid-stream.

Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not work (Planet49, C-673/17). Consent is often the wrong basis because it creates ongoing withdrawal obligations.

Legitimate interests requires a three-part balancing test: the controller has a legitimate interest, processing is necessary to achieve it, and the interest does not override the data subject's rights. This is the most flexible basis and the most abused.

Contract covers processing genuinely necessary to perform a contract. Legal obligation covers processing required by EU or national law. Vital interests is reserved for genuine emergencies. Public task covers processing necessary for a task in the public interest.

Data Subject Rights (Chapter III)

Chapter III gives individuals a suite of rights over their personal data. Controllers must operationalise them with response timelines and documented processes.

The right of access (Article 15) lets people request a copy of all personal data held about them. Controllers have one month to respond.

The right to erasure (Article 17) requires deletion when data is no longer necessary, consent is withdrawn, or the individual objects. It is not absolute. The foundational case is Google Spain SL v AEPD (C-131/12).

Data portability (Article 20) allows individuals to receive their data in a structured, machine-readable format. Right to object (Article 21) allows individuals to object to processing based on legitimate interests. For direct marketing, the right is absolute.

Automated decision-making (Article 22) gives individuals the right not to be subject to decisions based solely on automated processing that produce significant effects. This intersects directly with the EU AI Act.

Cross-Border Data Transfers

Chapter V restricts transfers outside the EU/EEA. Schrems I (C-362/14, 2015) invalidated Safe Harbor. Schrems II (C-311/18, 2020) invalidated Privacy Shield and imposed Transfer Impact Assessment requirements on Standard Contractual Clauses.

The EU-US Data Privacy Framework was adopted in July 2023 but faces legal challenges. The TikTok fine of 530 million EUR in 2025 confirmed that transfer compliance is a regulatory priority.

Adequacy decisions cover the UK, Switzerland, Japan, Canada, South Korea, and New Zealand. Outside that list, controllers must rely on SCCs, Binding Corporate Rules, or approved certification schemes.

Key takeaway: SCCs are not a box-ticking exercise. Since Schrems II, they require genuine assessment of the legal environment in the recipient country.

Enforcement: The Numbers

More than 2,800 fines totalling over 6.2 billion EUR. More than 60% imposed since January 2023.

• Meta (May 2023): 1.2 billion EUR. Transfers of EU user data to the US. The largest GDPR fine ever.
• TikTok (2025): 530 million EUR. Transfers to China without adequate safeguards.
• Amazon (2021): 746 million EUR. Advertising targeting without valid consent.
• WhatsApp (2021): 225 million EUR. Transparency failures.
• Google France (2022): 150 million EUR. Cookie consent violations.

Two tiers of fines: up to 10 million EUR or 2% of turnover (lower tier), up to 20 million EUR or 4% of turnover (upper tier, for core principle and rights violations).

National Derogations

The GDPR contains dozens of opening clauses that let member states make their own rules in specific areas.

Age of digital consent varies from 13 to 16 by country. Employment data processing rules vary significantly, with Germany having particularly detailed requirements. Deceased persons protections exist in France, Italy, and Spain. Some member states including Poland, Austria, and Italy have introduced criminal penalties for GDPR breaches.

UK Divergence Post-Brexit

The UK retained the GDPR as UK GDPR through the Data Protection Act 2018. The Data (Use and Access) Act received Royal Assent in June 2025, introducing recognised legitimate interests that skip the balancing test for specific activities. This is a meaningful departure from the EU framework.

The EU's adequacy decision for the UK is subject to review. If the UK diverges too far, adequacy could be revoked, requiring SCCs for all EU-UK transfers.

Key takeaway: UK GDPR is not EU GDPR. A data protection memo for an EU client will not apply without modification to a UK entity, and the gap is widening.

GDPR and the AI Act

Article 22 GDPR restricts automated decisions with significant effects. The AI Act imposes additional requirements on high-risk AI systems used in employment, credit scoring, education, and essential services. The two regimes are complementary but not identical.

Organisations deploying high-risk AI will need both GDPR DPIAs (Article 35) and AI Act conformity assessments. The intersection between GDPR and AI regulation will be the defining area of EU digital law practice for the next decade.

How to Research GDPR Effectively

GDPR research requires primary law, regulatory guidance, and case law used together.

• EUR-Lex carries all 24 language versions. Check multiple versions when terms are ambiguous.
• EDPB Guidelines on consent, legal bases, DPIAs, and breach notification are foundational.
• GDPRhub aggregates national DPA decisions across the EU/EEA with English summaries.
• National DPA guidance from the ICO, CNIL, BfDI, and DPC supplements EDPB output.

For cross-referencing GDPR articles with national implementations and CJEU case law, platforms like Venato let you navigate across instruments without switching between multiple sources.

Key Cases Every Student Should Know

Google Spain v AEPD (C-131/12, 2014): Established that search engines are data controllers and individuals can request removal of links to outdated personal information. The foundational right to be forgotten case.

Schrems I (C-362/14, 2015): Invalidated the EU-US Safe Harbor framework. Set the "essentially equivalent" standard for adequacy.

Schrems II (C-311/18, 2020): Invalidated Privacy Shield. Imposed Transfer Impact Assessment requirements on SCCs.

Planet49 (C-673/17, 2019): Pre-ticked cookie consent boxes do not constitute valid consent. The authority for cookie banner design.

Where GDPR Practice Is Heading

Three developments will shape the next phase. AI regulation is creating a second compliance layer on top of the GDPR. Enforcement is becoming more coordinated through the EDPB's binding dispute resolution mechanism. And UK divergence is accelerating with the Data (Use and Access) Act.

For students entering practice, data protection is embedded in every area of commercial law. Learning the GDPR properly, including the principles, the enforcement record, the transfer rules, and the national variations, is the price of entry for any modern commercial or technology practice.