Everything you need to understand and meet the EU General Data Protection Regulation — from the 7 principles and lawful bases to data subject rights, international transfers and a clean compliance programme. Practical playbooks, checklists and templates, organized by where you are in the journey.
GDPR (the General Data Protection Regulation) is the European Union’s data protection law — Regulation (EU) 2016/679 — in force since 25 May 2018. It governs how organisations collect, use, store and protect the personal data of people in the EU and EEA, built on seven core principles and a set of data subject rights. GDPR compliance means processing personal data lawfully, fairly and transparently — with a valid lawful basis, strong security, and the records to prove it. It is extraterritorial, so it reaches organisations worldwide that serve or monitor people in the EU. This hub brings together everything you need to understand and achieve GDPR compliance.
Search the full hub, or filter by experience level. Every guide is written by data-protection practitioners who implement GDPR for real businesses.
I'm… tap one and we'll tailor the guides for you
Or jump to a topic
No guides match your search. Try a different term.
Territorial scope and who is actually in scope.
BeginnerWhether business contact data is covered.
BeginnerSupervisory authorities and the EDPB explained.
BeginnerHow much you can be fined, and why.
What changed for the UK after Brexit.
BeginnerGDPR and California’s CCPA compared.
BeginnerHow GDPR differs for health data.
BeginnerWhy “PII” and “personal data” aren’t the same.
IntermediateHow GDPR maps to ISO 27001 & 27701.
IntermediateWhether you need both GDPR and SOC 2.
What counts as personal data, in detail.
BeginnerSensitive data and the extra rules around it.
BeginnerThe six lawful bases and when to use each.
BeginnerWhat valid, GDPR-grade consent looks like.
BeginnerTwo techniques, very different legal effects.
IntermediateHow long you can keep personal data.
IntermediateBuilding privacy in by default (Article 25).
The eight rights individuals hold over their data.
BeginnerErasure requests and when they apply.
IntermediateHow to handle DSARs within the deadline.
Who decides, who processes, who’s liable.
AdvancedShared responsibility between controllers.
IntermediateWhen a DPO is mandatory.
IntermediateArticle 30 records, with a template.
IntermediateRunning a Data Protection Impact Assessment.
A complete overview of what GDPR requires.
IntermediateA free, practical compliance checklist.
IntermediateA step-by-step path to compliance.
IntermediateThe 72-hour breach notification rule.
AdvancedKeeping compliance current, year-round.
DPAs explained, with a template.
AdvancedSCCs for lawful international transfers.
IntermediateTransferring data to the US under the DPF.
IntermediateWhen you need an EU or UK representative.
AdvancedManaging vendors and sub-processors.
IntermediateRules and mechanisms for moving data abroad.
What US companies need to know.
IntermediateGDPR essentials for SaaS businesses.
IntermediateGDPR for healthcare organisations.
IntermediateA practical guide for small teams.
IntermediateRules for compliant B2B outreach.
Article 5 sets out the seven principles behind every GDPR obligation. Hover or tap a panel to expand it — swipe on mobile.
Process data only with a valid legal basis, never deceptively, and tell people clearly what you do with their data.
Deep dive →Collect data for specified, explicit purposes — and don’t reuse it in incompatible ways.
Deep dive →Collect only the personal data you actually need. Nothing “just in case.”
Deep dive →Keep personal data correct and up to date; fix or erase what’s wrong without delay.
Deep dive →Keep data only as long as you need it, then delete or anonymise it.
Deep dive →Protect data with appropriate security — encryption, access controls and resilience.
Deep dive →Be able to demonstrate compliance with every principle through records and evidence.
Deep dive →GDPR splits responsibility between the controller and the processor. Here’s how the two roles compare side by side.
Decides the why and how of processing.
Processes data on the controller’s behalf.
Accountability means you must prove compliance. Here are core GDPR obligations and the records a regulator or auditor expects.
Evidence regulators expect
Evidence regulators expect
Evidence regulators expect
Evidence regulators expect
Evidence regulators expect
Evidence regulators expect
A rough first-year ballpark for your GDPR programme. Adjust the inputs — the estimate updates instantly. For a precise quote, book a free assessment.
Estimated first-year cost
Growth-stage · moderate footprint · tooled
Estimates are directional planning ranges, not a quote. Year 2+ costs are typically lower.
Trusted by 200+ Global Enterprise Clients
What Your Business Gets
No obligation · Results in 48 hours · 100% confidential
Pick a time that works for you
Our team responds within 24 hours
ISpectra guides organisations from first data-mapping to demonstrable GDPR compliance — gap assessment, policies, security, rights and breach readiness, all in one program.
