What are the key GDPR obligations for EU businesses?

Maintain records of processing activities (ROPA). Conduct Data Protection Impact Assessments. Appoint a Data Protection Officer (if required). Implement data subject rights procedures. Report breaches within 72 hours.

What is the maximum fine for GDPR non-compliance?

The maximum fine under GDPR is €20M or 4% of global turnover.

When does GDPR apply or what is the enforcement deadline?

GDPR deadline: In force since May 25, 2018.

General Data Protection Regulation

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

What does GDPR require and when does it apply?

GDPR applies to All sectors processing EU personal data organisations across all EU member states. The key deadline is In force since May 25, 2018. Non-compliance carries a maximum penalty of €20M or 4% of global turnover. Core obligations include maintain records of processing activities (ropa) and conduct data protection impact assessments.

Maintain records of processing activities (ROPA)
Conduct Data Protection Impact Assessments
Appoint a Data Protection Officer (if required)
Implement data subject rights procedures
Report breaches within 72 hours

Deadline	In force since May 25, 2018
Max fine	€20M or 4% of global turnover
Primary sectors	All sectors processing EU personal data

Source: Official Journal of the EU — General Data Protection RegulationReviewed: 2026-05-01

TL;DR

GDPR: €20M or 4% of global turnover max fine

GDPR applies to All sectors processing EU personal data organisations in all EU member states. Key deadline: In force since May 25, 2018.

Source: Official Journal of the European Union — General Data Protection Regulation

Deadline

In force since May 25, 2018

Max Fine

€20M or 4% of global turnover

Sectors Affected

All sectors processing EU personal data

€20Mmaximum fine

The highest penalty for non-compliance with GDPR in the EU.

EU Official Journal

How do I comply with GDPR?

Maintain records of processing activities (ROPA)
Conduct Data Protection Impact Assessments
Appoint a Data Protection Officer (if required)
Implement data subject rights procedures
Report breaches within 72 hours

Does GDPR apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Related Regulations

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

NIS2

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which GDPR obligations apply to your business in 2 minutes.