GDPR: EU General Data Protection Regulation

Regulation (EU) 2016/679 — General Data Protection Regulation — issued by European Parliament and Council of the European Union.

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, applicable since 25 May 2018. It applies extraterritorially to any organisation — regardless of where it is established — that processes the personal data of individuals located in the EU, either by offering goods or services to them or by monitoring their behaviour. This makes GDPR a global concern for any Qatar organisation with EU customers, employees, or users.

GDPR is built on seven principles (lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability) and recognises six lawful bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests). It establishes enhanced data subject rights — including the right of access, rectification, erasure ('right to be forgotten'), restriction, portability, and objection — and imposes strict obligations on controllers and processors regarding security, breach notification (within 72 hours), Data Protection Impact Assessments, and (for qualifying organisations) the appointment of a Data Protection Officer.

GDPR's penalty regime is famously consequential: up to €20 million or 4% of total worldwide annual turnover, whichever is higher. Notable enforcement actions have included fines exceeding €1 billion, making GDPR one of the most heavily-enforced data protection regimes globally.

Who must comply with GDPR?

• 01Any organisation established in the EU that processes personal data
• 02Any organisation outside the EU offering goods or services to individuals in the EU
• 03Any organisation outside the EU monitoring the behaviour of individuals in the EU
• 04Joint controllers and processors are jointly liable for compliance
• 05Qatar-based exporters, e-commerce, SaaS, and travel operators with EU customers

What GDPR requires you to do

1. 1Identify a lawful basis for every processing activity (most commonly consent, contract, legal obligation, or legitimate interests).
2. 2Maintain Records of Processing Activities (RoPA) covering categories of data, processing purposes, retention, and recipients.
3. 3Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.
4. 4Appoint a Data Protection Officer where required (public bodies, large-scale special-category processing, large-scale monitoring).
5. 5Implement appropriate technical and organisational security measures.
6. 6Notify supervisory authorities of breaches within 72 hours; notify data subjects without undue delay where rights are at risk.
7. 7Use approved transfer mechanisms (SCCs, BCRs, adequacy decisions) for personal data leaving the EU/EEA.

Vantage's approach to GDPR

Vantage GRC includes a pre-built GDPR control library covering Article 30 RoPA, Article 35 DPIA workflows, lawful basis tracking, data subject rights request management, breach notification routing, and cross-border transfer impact assessments. Mapped against Qatar PDPPL so organisations subject to both regimes maintain a single privacy programme that satisfies the stricter requirement on each dimension. Particularly valuable for Qatar exporters, SaaS vendors, and travel/hospitality operators with EU customer bases.

Ready to operationalise GDPR compliance?

Talk to a Vantage GRC consultant about your GDPR programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.