General Data Protection Regulation (GDPR) has major implications for how companies can handle European Union (EU) consumers’ personal data.

Companies that fail to comply with GDPR can be fined up to €20M or 4% of their annual revenue for the previous fiscal year, whichever is greater.

Learning about GDPR enforcement can help you understand and reduce your compliance risk. Keep reading to learn when the law went into effect and who enforces it. 

When did GDPR go into effect?

GDPR went into effect on May 25, 2018. 

GDPR was first adopted by the European Parliament and European Council in April 2016, but member states of the EU were given a two-year grace period before enforcement began.

In this time period, member states could make small changes to meet their needs. But they were expected to ensure the GDPR was fully implementable in their countries by May 25, 2018. 

By this date, organizations that process the personal data of or offer goods/services to EU residents were expected to be GDPR compliant.

Who enforces GDPR?

Data protection authorities from each of the 27 EU member states enforce GDPR. Data protection authorities are independent of the government and have both investigative and corrective powers to monitor the application of GDPR and address non-compliance.

Their responsibilities include investigating complaints, providing expert advice on data protection issues, and determining when the GDPR has been breached. They may also issue fines. 

All data protection authorities work together as a group on the European Data Protection Board (EDPB). The EDPB’s objective is to ensure that GDPR enforcement is consistent across the EU.

EDPB does not enforce the data protection law. Instead, it provides data protection authorities with general guidance on the key concepts of the law. It also advises the European Commission on data protection and privacy legislation or issues.


How is GDPR enforced?

GDPR is enforced by independent national DPAs from the 27 EU member states. They investigate complaints, determine when GDPR has been breached, and may also issue fines depending on the severity of the GDPR violation.

Can GDPR be enforced in the US?

Yes, GDPR can be enforced in the US since it applies to any organization that targets or collects data from EU residents. That means companies in the US that fall within the scope of GDPR can still face fines and legal penalties for failing to comply.

Who enforces GDPR fines?

GDPR fines are enforced by the data protection regulator in the EU country where the complaint was lodged (or, in cases that involve cross-border processing of personal data, where the entity under investigation is established).