Blog · ComplianceGDPR in 2026: when it applies and how to comply
A practical global guide to EU GDPR, when it applies wherever you are based, the seven principles, what your site needs, cookies, DPOs, and the penalties for failure.
The General Data Protection Regulation (GDPR) is the European Union's data protection law, in force since May 2018. It is the most influential privacy regulation in the world, most businesses outside the EU dramatically underestimate how much of it applies to them.
If your business has a website that receives EU visitors, if you sell to European customers, if you process data on behalf of European clients, or if you use EU users' data in any way, GDPR applies, regardless of where your business is incorporated. A SaaS company in San Francisco, a consultancy in Singapore, a D2C brand in Dubai, a pharma exporter in India, an e-commerce store in São Paulo, all in scope if they touch EU data.
This guide is the practical version: when GDPR applies to your business no matter where you're based, what your website actually needs, what cross-border data transfer looks like in 2026, and the real cost of getting it wrong.
Does GDPR apply to my business?
Yes, in any of these scenarios, regardless of where your business is incorporated:
- You offer goods or services to individuals in the EU: even free ones. Even if they pay in your local currency. SaaS founders, B2B services firms, content platforms, e-commerce stores, pharma exporters, consultants, all in scope if EU residents are buying or using.
- You monitor the behaviour of EU individuals: analytics, advertising pixels, cookies tracking EU visitors, profiling based on EU users. If Google Analytics shows EU traffic, you are technically monitoring EU users.
- You process data on behalf of an EU controller: outsourcing, back-office work, white-labelled services. If a European client sends you their customer data to process, GDPR applies to that processing.
It does notapply if EU residents only stumble onto your website by accident and you make no effort to attract them. But the bar for “making an effort” is low, translating into a European language, listing prices in EUR, mentioning EU countries by name, accepting EU payments, or running ads targeted at EU audiences all count.
For most businesses outside the EU with even modest international ambition, GDPR is in scope.
The seven core principles
GDPR has seven foundational principles. If you don't know any other detail about the law, know these:
- 1. Lawfulness, fairness and transparency.Every processing of personal data must have a documented legal basis (see next section), be fair to the individual, and be transparent about what you're doing.
- 2. Purpose limitation.Data collected for one purpose cannot be silently reused for another. Asking for an email to send a quote doesn't give you the right to add it to a newsletter.
- 3. Data minimisation.Collect the minimum necessary. The fifteen-field contact form is not just bad UX, under GDPR it's potentially non-compliant.
- 4. Accuracy. Keep personal data accurate and up to date. Allow individuals to correct it.
- 5. Storage limitation.Don't keep data forever. Define retention periods and stick to them.
- 6. Integrity and confidentiality. Reasonable security safeguards. Encryption in transit and at rest. Access controls. Breach response.
- 7. Accountability. You must be able to demonstrate compliance. Records, policies, processes, written down, defensible, available on request.
Lawful basis, the six legal grounds for processing
GDPR requires every processing activity to have one of six lawful bases. You must pick and document the right one for each purpose:
- Consent: the individual has clearly and affirmatively given permission. Pre-ticked checkboxes don't count. Bundled consents don't count. The withdrawal must be as easy as the giving.
- Contract: processing is necessary to perform a contract with the individual (e.g., shipping their order, providing a service they signed up for).
- Legal obligation: you're required by law (e.g., tax records).
- Vital interests: life-or-death situations (rare in business).
- Public task: government / public authority functions (rare for private companies).
- Legitimate interests: you have a legitimate business reason that outweighs the individual's privacy interest. Requires a written Legitimate Interest Assessment (LIA).
Most marketing communications need consent. Most customer fulfilment needs contract. Most analytics, fraud prevention and B2B prospecting can be supported by legitimate interests with a proper LIA.
Individual rights, what EU users can demand
EU residents have eight enforceable rights under GDPR. Your business must respond within 30 days:
- Right to information: clear notice of what you collect and why.
- Right of access: a copy of all personal data you hold about them.
- Right to rectification: correction of inaccurate data.
- Right to erasure (the “right to be forgotten”): deletion of data, with exceptions for legal record-keeping.
- Right to restriction: pause processing while a dispute is resolved.
- Right to data portability: receive their data in a machine-readable format and transfer it elsewhere.
- Right to object: to direct marketing, profiling, or any legitimate-interest processing.
- Rights regarding automated decision-making: including profiling that significantly affects them.
Your business needs a documented process to receive these requests, verify the requestor's identity, and respond within the 30-day window. This is the “DSAR workflow”, Data Subject Access Request workflow, and it's a real operational requirement.
What your website actually needs
Five things, in priority order:
1. A GDPR-aware privacy policy
Not a template. A policy written to your real data flows, naming your real sub-processors, with your real retention periods. Must include the seven mandatory disclosures: your identity, processing purposes, lawful basis for each, recipients, international transfers, retention, and rights. Ours is at /privacy for reference.
2. A real cookie consent mechanism
Required if your site uses any non-essential cookies (analytics, marketing, embedded media). Must:
- Block non-essential cookies until consent is given.
- Allow granular control (analytics vs marketing vs functional).
- Make withdrawal as easy as acceptance.
- Record consent (timestamp, IP, what was accepted).
A passive “by using this site you agree to cookies” banner is explicitly non-compliant under recent EDPB guidance and case law. Real solutions: Cookiebot, OneTrust, Iubenda, or a custom-built consent manager.
3. Form-level consent for marketing communications
Every form that captures an email or phone for marketing purposes needs an unticked opt-in checkbox specific to that purpose. Bundled consents (“by signing up you agree to receive emails, calls, partner offers, and product updates”) are not compliant.
4. Records of processing activities (Article 30)
A written internal document listing every processing activity in your business: data category, purpose, lawful basis, recipients, retention, transfers. Required for any business with 250+ employees, but recommended for everyone, it's the cornerstone document an EU regulator will ask for if they come knocking.
5. Reasonable security baseline
HTTPS, encrypted databases, hardened headers, access controls, monitoring, secrets management, breach playbook. The same baseline that DPDP requires. Most modern Next.js + Vercel deployments tick the technical checkboxes by default.
Cross-border data transfers, the global problem
Transferring EU personal data outside the EU/EEA requires a legal mechanism unless your destination country has an EU adequacy decision. Adequate jurisdictions (as of 2026) include the UK, Japan, Canada, South Korea, New Zealand, Switzerland, Israel, Argentina, Uruguay, the Faroe Islands, Guernsey, Jersey, Isle of Man, Andorra and the US under the EU-US Data Privacy Framework. Most of the world, including India, most of Asia, Latin America, Africa and the Middle East, is not on the adequacy list.Transfers to those jurisdictions require additional mechanisms:
- Standard Contractual Clauses (SCCs): the most common path. A standardised contract template the EU has approved, signed between the EU exporter and the non-EU importer. Updated in 2021 to be more rigorous.
- Binding Corporate Rules (BCRs): internal rules for transfers within a corporate group. Heavy to implement; only worth it for large multinationals.
- Derogations: narrow exceptions (explicit consent, contract necessity, public interest). Cannot be the default; only ad-hoc cases.
SCCs alone are no longer sufficient on their own since the Schrems II decision, you also need a Transfer Impact Assessment (TIA) documenting that the destination country provides adequate protection in practice. The TIA reviews local surveillance laws, judicial redress mechanisms, and your own technical safeguards (encryption, pseudonymisation).
For most non-EU businesses processing EU data, the realistic compliance posture is: SCCs + a written TIA + strong encryption + documented access controls. We help with the full set as part of a GDPR engagement, regardless of where your business is based.
DPO, Data Protection Officer
GDPR requires a designated Data Protection Officer if your business:
- Is a public authority.
- Processes personal data on a regular and systematic large scale.
- Processes sensitive personal data (health, religion, political views, etc.) at scale.
Most SMBs don't strictly require a DPO. However, EU buyers increasingly expect one, even outsourced, as part of vendor due diligence. The DPO doesn't have to be on staff; it can be an external advisory contract. RoseLeap offers DPO-as-a-Service for businesses that need a credible privacy contact without hiring full-time.
Penalties, what the fines actually look like
GDPR has two tiers of administrative fines:
- Lower tier: up to €10 million or 2% of global annual turnover, whichever is higher. For violations like inadequate records, insufficient cooperation with regulators, or breach-notification failures.
- Upper tier: up to €20 million or 4% of global annual turnover, whichever is higher. For violations of core principles: lawful basis, consent, individual rights, international transfers.
Notable fines so far have included €1.2 billion (Meta), €746 million (Amazon), €405 million (Instagram), and many millions levied on smaller players. Enforcement against non-EU businesses depends on whether the regulator chooses to pursue cross-border action, but the bigger risk for any non-EU business is reputational and commercial: an EU buyer who finds you non-compliant will simply not engage.
GDPR + DPDP, the dual compliance reality
If your business is based in India and has EU exposure, you need both GDPR and DPDP compliance running in parallel. The good news is they share ~80% of the operational work:
- One audit covers both regimes.
- One privacy policy can be structured to satisfy both (with EU-specific sections).
- One DSAR workflow handles requests from either jurisdiction.
- One sub-processor list, one breach playbook, one accountability framework.
We package GDPR and DPDP together for clients who need both, same audit, same documentation set, with jurisdiction-specific addenda. Talk to us at the contact page.
Practical starting points
- Run a data mapping exercise this week. List every place EU personal data lives in your business and every third party that touches it.
- Audit your current privacy policy.Does it name your real sub-processors? Does it explain lawful basis per purpose? Does it disclose international transfers? Most don't.
- Look at your cookie banner(if you have one). Does it block non-essential cookies before consent? Does it offer granular control? Most don't.
- Look at your forms. Is consent for marketing communications captured separately and explicitly? Is it logged?
- If you transfer EU data outside the EU/EEA: even just by hosting on a non-EU server, start an SCC + TIA workstream.
How RoseLeap can help
We run a GDPR Compliance service for businesses worldwide with EU exposure. Fixed-fee audit, lawful-basis assignment, cookie consent setup, privacy policy drafted to your real data, SCC + TIA for cross-border transfers, and DPO-as-a-Service available on retainer. We also bundle this with DPDP compliance for clients who need both.
Tell us about your business, what you do, who your EU users are, what data flows where. We come back with a fixed-fee scope and a date you can claim compliance by, within one business day. Start at the contact page.
Rooted in Data · Built to Bloom
Need help with your own?
Tell us about your project. We come back with a clear, honest plan.