Who should comply with the GDPR? All you need to know

The General Data Protection Regulation (GDPR) is a landmark privacy law that protects the data rights of individuals in the European Union (EU) and European Economic Area (EEA). It has a broad scope, strict requirements, and substantial penalties—so knowing whether GDPR applies to your organization is critical if you interact with any EU/EEA personal data.

In this article, we’ll clarify:

Which organizations fall under the GDPR’s scope
The types of data the GDPR safeguards
The authorities responsible for enforcement
Whether the GDPR applies to non-EU organizations
What happens when you don’t comply

When you realize “EU visitors” means you too

GIF via GIPHY

Related guides:

Key takeaways

GDPR scope is about people, not headquarters. If you collect or process EU/EEA residents’ personal data, GDPR may apply—even if you’re outside Europe.
“Offering” and “monitoring” are the two big triggers. Selling to EU/EEA residents or tracking their behavior (often via cookies/analytics) commonly brings you into scope.
Controller vs. processor changes your obligations. Many obligations apply to both, but “why/how decisions” (controller) vs. “process on instructions” (processor) shapes accountability.
Not all data is equal under GDPR. Special category data (Article 9) and criminal data typically require stricter protections and governance.
The fastest way to reduce risk is operational clarity. Define scope, map data flows, assign owners, and keep evidence current.

Who does the GDPR apply to?

GDPR applies to any entity—person, business, or organization—that collects or processes personal data relating to individuals in the EU/EEA.

In practice, the “litmus test” is whether you:

Are established in the EU/EEA and process personal data in the context of that establishment, or
Target people in the EU/EEA (for example, you offer goods/services to them), or
Monitor behavior of individuals in the EU/EEA (for example, tracking cookies/profiling)

If you accept orders from EU-based users, run lead-gen forms that intentionally serve EU prospects, or your site uses analytics/cookies that monitor EU/EEA visitors, you should assume GDPR scope is worth a serious review.

A practical “are we in scope?” table

Use this table as a fast, operational gut-check. It’s not legal advice, but it captures the most common triggers teams encounter.

Scenario	Typical GDPR scope signal	What to do next (practical)
You have EU/EEA customers (paid or free)	“Offering goods/services” to EU/EEA residents	Confirm lawful basis, ensure DPAs/DPAs, define controller/processor role, and implement DSAR + breach workflows
Your site markets to EU/EEA users (localized pages, EU pricing, EU languages, EU shipping)	Intent to target EU/EEA	Review tracking tech + consent, privacy notice, and your data inventory
EU/EEA traffic is truly incidental and you don’t target or monitor	Scope may be lower, but depends on tracking	Validate cookies/analytics behavior and retention; document your assessment
You run behavioral ads/retargeting that reaches EU/EEA visitors	“Monitoring behavior”	Implement consent management, vendor DPAs, cookie controls, and evidence of consent
You process employee/applicant data for an EU office	EU establishment context	Treat HR systems and vendors as in-scope; ensure retention + access controls

“Scope decisions go faster when you can point to evidence: which markets you serve, what analytics run, what data you collect, where it goes, and who can access it.”

Controllers vs. processors (why the distinction matters)

To clarify responsibilities in data processing and reporting, GDPR defines two core roles:

Controllers: organizations that determine why and how personal data is processed
Processors: organizations that process personal data on behalf of a controller and follow the controller’s instructions

Many organizations play both roles depending on the context. For example, a SaaS company is often a controller for its own employee and marketing data, and a processor when it processes customer end-user data inside the SaaS product.

Common role-driven obligations (high level)

Obligation area	Controller	Processor
Decide purpose + lawful basis	Yes	No (supports controller’s lawful basis)
Provide privacy notice to data subjects	Typically yes	Typically no (but must support)
Maintain records of processing (RoPA)	Yes (Article 30)	Yes (Article 30)
Security of processing	Yes (Article 32)	Yes (Article 32)
Vendor/sub-processor management	Yes	Yes (with controller approval where required)
DSAR support (access, deletion, etc.)	Owns response	Supports per contract/instructions

Note: Some requirements (like appointing a data protection officer (DPO) or maintaining certain RoPA details) can depend on thresholds and context. If you’re unsure, it’s common to start by documenting your processing activities, then assess role and trigger conditions against that inventory.

What type of information does the GDPR apply to?

GDPR protection extends to personal data, including certain types of pseudonymized data, but excludes truly anonymized data (and generally does not apply to information about deceased persons).

In this context, personal data means information that can identify a person—directly or indirectly. Examples include:

Name
ID numbers
Location data (including device location)
Phone number
Email address (often)
Payment details (often)
Online identifiers such as cookies and IP addresses (when they can be tied to an individual)

Special categories of personal data (Article 9)

Some data types are treated as higher risk and generally require stricter protections and clearer governance. Common examples include:

Health information
Biometric data (in many contexts)
Genetic data
Information revealing racial or ethnic origin, political opinions, religious beliefs, or union membership

If your product touches special category data (or data about criminal convictions/offenses), treat it as a “scope multiplier”: it often changes your risk assessment, your DPIA expectations, and the rigor you’ll need in technical and organizational controls.

Who enforces the GDPR?

GDPR does not have a single central enforcement authority. Instead, each EU/EEA member state has a data protection authority (DPA) responsible for enforcement within its jurisdiction. DPAs commonly:

Monitor compliance
Provide guidance
Investigate complaints
Conduct audits and investigations after incidents

For cross-border issues, the European Data Protection Board (EDPB) helps coordinate and provide consistency across member states.

Does the GDPR apply to organizations outside of the EU?

Yes—GDPR can apply to organizations outside the EU/EEA when they offer goods/services to individuals in the EU/EEA or monitor their behavior (commonly summarized as GDPR’s “extraterritorial scope” under Article 3).

Two common triggers:

Offering goods or services to EU/EEA residents (for example, EU-specific marketing, pricing, shipping, onboarding, or sales motions)
Monitoring behavior of EU/EEA residents (for example, tracking cookies, analytics, profiling, or behavioral advertising)

One operational nuance: incidental, one-off interaction with EU/EEA data doesn’t automatically mean you’re “fully GDPR-ready”—but relying on that assumption without documenting your actual processing can create blind spots. Most teams start by mapping (1) markets served, (2) analytics/tracking, and (3) where personal data flows.

UK note: This article focuses on EU GDPR. The UK GDPR is a separate legal framework post-Brexit. The regimes are similar, but enforcement and oversight are handled independently (commonly via the UK Information Commissioner’s Office).

What happens if you don’t comply with the GDPR?

Compliance is mandatory for organizations in scope. Violations can result in corrective actions (orders to change processing, suspend processing, or delete data) and substantial financial penalties.

GDPR fines depend on the nature and severity of the violation. High-level maximums are often described like this:

Penalty tier (simplified)	Maximum fine (up to)	Example
Less serious infringements	€10 million or 2% of global annual turnover (previous fiscal year)	Failing to maintain appropriate records of processing
More serious infringements	€20 million or 4% of global annual turnover (previous fiscal year)	Failing to adhere to core data protection principles

In addition to fines, teams commonly underestimate “hidden costs,” including:

Legal + incident response time
Rework (privacy by design retrofits are expensive)
Sales friction (security reviews and DPAs stall deals)
Vendor churn and reputational damage

The most reliable risk reducer is treating GDPR as an operating system: scope → controls → evidence → monitoring → improvement.

Turn GDPR obligations into trackable tasks with SecureSlate

GDPR work gets easier when requirements become owned workflows (not one-time docs). SecureSlate helps you operationalize privacy and compliance by centralizing controls, ownership, and audit-ready evidence.

With SecureSlate, teams commonly:

Turn GDPR requirements into trackable tasks with clear owners and due dates
Maintain policies and acknowledgements in one place
Track vendors and DPAs with review cadences and evidence
Keep RoPA/processing documentation and supporting artifacts organized for audits and customer requests
Prove ongoing readiness with a consistent evidence trail (instead of last-minute scrambles)

Get started for free to see how SecureSlate supports GDPR readiness across your people, vendors, and systems.

FAQ

Any organization that processes personal data relating to EU/EEA individuals may need to comply—especially if it offers goods/services to EU/EEA residents or monitors their behavior.

It can. Location is not the deciding factor. If you target EU/EEA residents or monitor their behavior (often via tracking/analytics), GDPR may apply.

Personal data (anything that can identify a person directly or indirectly). Certain data types—like health, biometric, or genetic data—often require stricter handling as special category data (Article 9).

National data protection authorities (DPAs) in each EU/EEA member state enforce GDPR, with the European Data Protection Board (EDPB) helping coordinate cross-border consistency.

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.