GDPR Compliance for Businesses: Lawful Basis, Rights, and Accountability

The General Data Protection Regulation is the reference point for modern privacy law. Even companies outside the European Union study GDPR because it shaped the language used by regulators, customers, investors, vendors, and data protection teams around the world. Yet many businesses still treat GDPR as a website privacy policy project. That is too narrow. GDPR is an operating framework for personal data governance.

This guide explains GDPR from a business implementation perspective. It sits under the broader Kurums pillar on data privacy law, GDPR, KVKK, CCPA, and cross-border compliance inside the Kurums Law department. The focus here is the practical legal architecture: lawful basis, transparency, accountability, rights, processors, security, transfers, breach response, and the mistakes that create avoidable exposure.

When does GDPR apply to a business?

GDPR applies when an organization is established in the EU/EEA or when a non-EU organization offers goods or services to people in the EU/EEA or monitors their behavior. The regulation is therefore not limited to companies physically located in Europe.

A SaaS company in the United States with EU customers, an e-commerce store shipping to Germany, a Turkish consultancy serving EU employees of a client, or a mobile app tracking EU users for analytics may all need to assess GDPR exposure. The analysis is factual. A website being technically accessible from Europe is usually not enough by itself; targeted sales, EU currency, EU languages, local shipping, EU advertising, or behavioral tracking can change the position.

What personal data does GDPR protect?

GDPR protects personal data, meaning any information relating to an identified or identifiable natural person. The definition is broad. It covers obvious identifiers such as name, email address, phone number, ID number, and home address, but also less obvious identifiers such as IP addresses, cookie IDs, device identifiers, employee numbers, location data, CRM notes, support tickets, and behavioral profiles.

Special category data receives stronger protection. This includes health data, biometric data used for identification, genetic data, political opinions, religious beliefs, trade union membership, racial or ethnic origin, and sex life or sexual orientation. Criminal-offense data is also subject to specific controls. Businesses should identify these categories separately in their data inventory because they usually require stricter lawful basis analysis and access controls.

What are the six lawful bases under GDPR?

Every processing activity needs a lawful basis before the processing begins. The lawful basis must match the real purpose and context of the processing. Changing the basis later is possible only in limited circumstances and can create credibility problems if the original assessment was careless.

How should a company choose between consent and legitimate interests?

Consent is appropriate when the individual has a genuine free choice, while legitimate interests is appropriate when the business has a real interest that is not overridden by the individual’s rights and expectations. Both require discipline, but they fail for different reasons.

Consent fails when it is bundled, hidden, vague, pre-ticked, difficult to withdraw, or treated as mandatory for a non-essential purpose. Legitimate interests fails when the company never completes the balancing test, ignores reasonable expectations, processes sensitive data casually, or uses it for intrusive tracking. The safest approach is not to pick the basis that sounds easiest; it is to pick the basis that honestly fits the processing.

What rights do individuals have under GDPR?

GDPR gives individuals a set of data rights that businesses must be ready to handle within defined timeframes. These rights include access, rectification, erasure, restriction, portability, objection, and rights relating to automated decision-making.

The operational challenge is identity, scope, search, exemptions, deadlines, and evidence. A company should not disclose data to the wrong person, but it also cannot ignore a valid request because searching systems is inconvenient. The workflow should define who receives requests, how identity is verified, which systems are searched, who approves exemptions, how responses are logged, and how the company proves completion.

What is GDPR accountability?

Accountability means the controller is responsible for compliance and must be able to demonstrate it. In practice, this is where GDPR becomes a governance system. A privacy notice without supporting records is weak evidence. Regulators expect to see policies, records of processing, data protection impact assessments, vendor contracts, security documentation, breach logs, training evidence, retention schedules, and decision records.

What contracts does GDPR require with vendors?

When a processor handles personal data on behalf of a controller, GDPR requires a data processing agreement with mandatory terms. The agreement must define the subject matter, duration, nature, purpose, data categories, data subjects, and obligations of the processor. It must also address instructions, confidentiality, security, sub-processors, assistance with rights requests, deletion or return, audits, and breach notification.

This is why procurement and legal must work together. A vendor can create GDPR risk even when its product is operationally excellent. CRM systems, payroll providers, cloud hosting, marketing automation, analytics tools, outsourced support, HR platforms, and AI tools should all be reviewed for processor status and transfer risk. For a deeper contract view, see the supporting guide planned for data processing agreements, controllers, processors, and SCCs.

How does GDPR handle international transfers?

GDPR restricts transfers of personal data outside the EEA unless the destination or arrangement provides an adequate level of protection. Common mechanisms include adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and limited derogations.

International transfer analysis is not limited to where the server is located. Remote access from outside the EEA can also matter. A European customer database hosted in the EU but accessed by support staff in another country may create a transfer. Businesses should map hosting, support, analytics, group-company access, backups, and sub-processors before choosing the transfer mechanism.

What should a GDPR breach response include?

A GDPR breach response should determine what happened, what data was affected, who was affected, whether risk exists, whether notification is required, and what remediation is needed. Where a personal data breach is likely to result in risk to individuals, the controller generally must notify the supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of it.

The response team should include legal, security, IT, communications, customer support, and the business owner of the affected system. The company should preserve evidence, avoid premature admissions, document the risk assessment, and coordinate contractual notifications to customers or partners. See the planned supporting guide on data breach notification and response planning.

GDPR implementation checklist for businesses

1. Build and maintain a record of processing activities.
2. Assign a lawful basis for each processing purpose.
3. Update customer, employee, applicant, vendor, and website privacy notices.
4. Create a data subject rights workflow with identity checks and response logs.
5. Review processors and sign GDPR-compliant data processing agreements.
6. Map international transfers and implement transfer mechanisms.
7. Define retention periods and deletion routines.
8. Review cookie and tracking tools for consent requirements.
9. Run DPIAs for high-risk processing.
10. Prepare a breach response plan and test it.

Frequently Asked Questions