EU General Data Protection Regulation (GDPR)

IA's portal for key resources and compliance information regarding the European Union (EU) General Data Protection Regulation (GDPR)

What is the GDPR?

The European Union (EU) General Data Protection Regulation (GDPR) is a sweeping regulation that replaced the aging Data Protection Directive (95/46/EC). It (somewhat) modernized the EU's approach to privacy and data protection and (somewhat) harmonized privacy and data protection laws across the EU.

GDPR went into effect on May 25, 2018, bringing fines as large as €20 million or 4% of global turnover (whichever is higher) for non-compliance. The Regulation applies to many more companies than the old Directive as companies established in the EU and some outside the EU fall under its scope. Notably, the Regulation applies directly to both controllers and processors of personal data. Its structure also imposes duties on affected companies and preserves certain rights for affected individuals

Does my company have to comply with GDPR?

Does your company have a presence in the European Union?
Does your company monitor or track attitudes/behavior in European Union?
If you answered yes to either question, it's likely your company has to comply with the GDPR

What are the consequences of non-compliance?

Sky high fines! The GDPR empowers Data Protection Authorities (DPAs) to impose fines as high as €20 million or 4% of global revenue (whichever is higher).

Getting Started with GDPR

Where Do I Start?

An introductory guide to understanding the core principles of the GDPR and how to begin your compliance journey.

What is the GDPR? Understanding the European Union General Data Protection Regulation

Explains the purpose, scope, and key requirements of the EU’s landmark privacy regulation.

Key Topics for Market Research and Analytics Companies

Outlines the GDPR issues most relevant to organizations handling research data and analytics.

FAQs on the EU General Data Protection Regulation

Answers the most common questions about the GDPR’s rules, responsibilities, and impacts.

EU Data Protection Guidance for Small Businesses

Offers simplified GDPR compliance advice tailored for small and medium-sized enterprises.

An Information Security System Can Assist GDPR Compliance

How implementing an an information security management platform like ISO 27001 can help with GDPR compliance.

GDPR: Compliance Checklist

Summarizes key steps and documentation required for maintaining GDPR compliance.

GDPR Compliance Tips for the Insights Industry Following May 2025 Enforcement Action Against Insights Company

Reviews recent enforcement examples and practical compliance lessons for research professionals.

GDPR: Informed Consent Checklist

A practical checklist to ensure all consent practices meet GDPR standards.

FAQ: Does GDPR Allow the Use of Cookies?

Discusses the compliance requirements for using cookies and tracking technologies.

Do U.S. Companies Need to Appoint a Data Protection Officer (DPO)?

Clarifies when U.S.-based firms must designate a Data Protection Officer under EU law.

Are You a Data Controller or Data Processor Under GDPR and the UK Data Protection Act?

Helps determine whether your organization is a data controller or processor under EU and UK law.

Multiple Authorities in Each Country May Enforce GDPR

Describes the decentralized enforcement structure and cooperation among EU regulators.

What Is a Legal Basis for Processing Personal Data?

Describes the lawful grounds required to process personal information under the GDPR.

FAQs on Collecting and Handling Race, Ethnicity, Sex and Other Sensitive Data

Provides guidance on collecting sensitive demographic data ethically and lawfully.

Key Definitions for New EU Rules

Provides key GDPR terminology to help professionals interpret and apply the regulation correctly.

Notice – The Individual’s Right to Be Informed

Protects you in ways you cannot, advocating for your practice and profession all the way to Capitol Hill.

Consent

Defines valid consent under the GDPR and how to properly obtain and record it.

Right of Access & Responding to Requests

Guides organizations on fulfilling individual requests to view their personal data.

Verifying the Identity of a Consumer

Explains the verification process organizations must follow before releasing personal data.

Processing and Protecting Children’s Data

Outlines special rules and safeguards for handling minors’ personal information.

Personal Data Retention Rules

Outlines how to set appropriate data retention and deletion timelines under the GDPR.

Is Encrypted Data Pseudonymous or Anonymous?

Examines whether encryption qualifies data as anonymous or merely pseudonymous under GDPR rules.

Cross-Border Data Transfers

Transferring Data Across Borders Under the EU’s Protective Regulation

Explains the mechanisms and safeguards required for lawful international data transfers.

Model Form for Consent for Personal Data Capture and Data Transfer

Provides a sample form template to document proper consent for data use and international transfer.

New EU Standard Contractual Clauses for Data Transfer to the U.S.

Summarizes updates to SCCs and how they affect cross-border data transfers.

EU-U.S. Data Privacy Framework Finally Live for Trans-Atlantic Data Transfers

Explaining the new program providing the U.S. insights industry with legal certainty for trans-Atlantic data sharing is live, replacing the invalidated Privacy Shield.

EU-U.S. Data Privacy Framework Survives European Court Challenge

The European Court of Justice (CJEU) recently dismissed a case brought against the new mechanism for trans-Atlantic data transfers, the EU-U.S. Data Privacy Framework (DPF). Insights work can continue unimpeded as a result.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.