Skip to Content
Governance and Compliance

What Is the GDPR (Europe's Data Protection Law)?

The GDPR (General Data Protection Regulation) is the European Union's data protection law, in force since 2018 and the counterpart to Brazil's LGPD. It governs how any company collects, uses and stores the personal data of people in Europe, requires a legal basis for every processing, grants data subjects rights (access, correction, deletion) and applies even to companies outside Europe that serve that audience. Fines reach €20 million or 4% of global annual turnover, whichever is higher.

Zamak TechnologiesUpdated on July 10, 2026

How the GDPR works in practice

The GDPR does not list systems to install; it sets principles that apply to any use of personal data, from a customer record to a website cookie. Four duties repeat across any operation.

1

Have a legal basis for every processing

Consent, contract performance, legal obligation, legitimate interest: without one of these grounds, processing the data is unlawful. Collecting it “because it might be useful” is not a legal basis.

2

Honor data subject rights

Access, correction, deletion, portability and objection are requests the law grants to the data owner, and the company has a deadline to meet them.

3

Report a breach within 72 hours

An incident that puts people at risk has to be reported to the authority within 72 hours, and to those affected when the risk is high. It is one of the GDPR's toughest deadlines.

4

Prove you comply (accountability)

Complying is not enough, you have to demonstrate it: records of processing activities, an impact assessment when risk is high and, in many cases, a data protection officer (DPO).

Source: Regulation (EU) 2016/679 (GDPR) and the European Data Protection Board (EDPB).

The principles that hold up the GDPR

  • Lawfulness, fairness and transparency Process data on a clear legal basis and tell the person, without fine print, what is done with their information.
  • Purpose limitation Collect data for a defined objective and do not repurpose it later for something incompatible.
  • Minimization Collect only the data needed for that purpose, not everything that “might come in handy someday”.
  • Accuracy Keep data correct and up to date, and fix what is wrong.
  • Storage limitation Keep data only as long as needed, then dispose of it.
  • Integrity and confidentiality Protect data against unauthorized access, loss and destruction, with security proportionate to the risk.
  • Accountability Be able to demonstrate, with records, that all the principles above are met.

Why the GDPR changed the privacy game

€20M or 4%
of global annual turnover, whichever is higher, is the GDPR fine ceiling (Regulation 2016/679)
€7.1B
in GDPR fines cumulatively since 2018 (DLA Piper, 2026)
72 hours
is the deadline to notify the authority after becoming aware of a risky breach (GDPR)

The GDPR became the world's reference for data protection, and the cost of non-compliance grew. Since 2018, cumulative fines already exceed €7.1 billion, with about €1.2 billion in 2025 alone (DLA Piper, 2026). The ceiling is steep: €20 million or 4% of global annual turnover, whichever is higher. But the fine is only part of the bill. The global average cost of a data breach was US$4.44 million (IBM, 2025), adding notification, investigation, reputational damage and litigation. And the GDPR respects no border: a company in Latin America or the US that offers goods to someone in Europe falls within the law's reach.

How a company prepares for the GDPR

GDPR readiness is not a project that ends, it is a discipline that has to hold. The most direct path:

  1. Map the data and the legal basis for each useList what personal data the company processes, where it comes from and why. Every use needs a documented legal ground.
  2. Get ready to answer data subject rightsHave a process to meet access, correction and deletion requests within the deadline, without a treasure hunt each time.
  3. Have the incident response plan ready for 72 hoursThe GDPR's short deadline is only feasible with a plan tested beforehand. Improvising in the middle of a breach blows past the 72 hours.
  4. Document to prove it (accountability)Records of processing activities, impact assessments and, where required, a data protection officer. That is what turns “we comply” into proof.

In practice

The question that reveals the real risk: if a person in Europe asked today for a copy of all the data the company holds about them, would someone gather it within the deadline, or not even know where to start?

How Zamak handles GDPR compliance

Zamak Technologies supports GDPR and LGPD readiness as part of Governance and Compliance in the Zamak Method: control mapping, evidence management and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.

Frequently asked questions about the GDPR

My company is not in Europe, does the GDPR affect me?
It can. The GDPR applies to any company that processes the data of people in Europe by offering them goods or services or monitoring their behavior, no matter where the company is headquartered.
What is the difference between the GDPR and the LGPD?
The GDPR is Europe's law and the LGPD is Brazil's, inspired by it. The principles are very similar (legal basis, data subject rights, breach notification), but the enforcement authority, the deadlines and the fine amounts differ between the two.
What is a legal basis?
It is the ground that authorizes processing personal data. Consent is only one; contract performance, legal obligation and legitimate interest, among others, also work, depending on the case.
Does every breach have to be reported within 72 hours?
Notifying the authority is required when the incident puts people at risk, and the deadline is up to 72 hours from when the company becomes aware. Incidents with no real risk fall outside, but drawing that line takes judgment.
Do I need a DPO (data protection officer)?
It depends. The GDPR requires a DPO in certain cases, such as large-scale processing of sensitive data or systematic monitoring. Outside those, having one is still good practice.
Is consent always required?
No. It is just one of the legal bases. Many activities rely on contract or legitimate interest. Using consent where it does not hold can even weaken compliance.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake