The General Data Protection Regulation (GDPR) is the EU’s foundational privacy law, in effect since 2018, governing how personal data of EU/EEA residents is collected, used, stored, and shared. For legal teams, GDPR has two angles: (a) the team’s own data processing (employee data, vendor contacts, client records), and (b) advisory work for clients on GDPR compliance. The UK GDPR is substantially identical post-Brexit; equivalent regimes (Brazilian LGPD, California CCPA/CPRA, Canadian PIPEDA) follow the same structural pattern.
Personal data and the six lawful bases
GDPR defines personal data broadly — anything that identifies or could identify a living person. Names, emails, IP addresses, employee IDs, photos, voice recordings.
Processing requires one of six lawful bases:
| Basis | Typical use |
|---|---|
| Consent | Marketing, optional features |
| Contract performance | Customer data needed to deliver service |
| Legal obligation | Tax records, regulatory reporting |
| Vital interests | Emergency life-or-death (rare) |
| Public task | Government processing |
| Legitimate interests | B2B sales, security, fraud prevention — balanced against data subject rights |
Most B2B legal-team data processing relies on legitimate interests (vendor management, employee records) or contract performance (client services). Consent is over-relied upon and frequently invalid because consent must be specific, informed, freely given, and revocable.
The eight data subject rights
GDPR creates rights individuals can exercise:
- Access — right to obtain copy of personal data being processed
- Rectification — right to correct inaccurate data
- Erasure (“right to be forgotten”) — right to deletion in certain circumstances
- Restriction — right to limit processing pending dispute resolution
- Portability — right to receive data in machine-readable format
- Objection — right to object to processing based on legitimate interests
- Automated decision-making — right not to be subject to solely automated decisions
- Withdraw consent — when consent was the basis
Legal teams need a documented workflow for each request type, with 30-day default response (extendable in narrow circumstances).
International data transfers
Personal data can leave the EEA only with appropriate safeguards. The available mechanisms in 2026:
- Adequacy decisions — country-by-country EU determinations that the country has adequate protection. Currently includes UK, Switzerland, Israel, Japan, Canada (commercial), South Korea, US (under Data Privacy Framework with limitations).
- Standard Contractual Clauses (SCCs) — EU-approved contractual terms imposing GDPR-equivalent obligations on the data importer. Updated in 2021; 2010 versions invalid.
- Binding Corporate Rules (BCRs) — for intra-group transfers within multinational organizations; require regulator approval.
- Specific derogations — narrow exceptions (explicit consent for the specific transfer, contract performance, important public interest).
Post-Schrems II (2020), use of any mechanism requires a Transfer Impact Assessment (TIA) considering the destination country’s surveillance laws and access-to-data regime.
What legal teams handle directly
Three workflows that fall on Legal Ops:
- Vendor and processor management. DPA with every vendor processing personal data; subprocessor flow-down; international transfer mechanism documentation.
- Data subject request response. Receiving DSARs, validating identity, gathering data across systems, reviewing for exemptions (legal privilege, third-party data), responding within deadline.
- Breach notification. When the team or its vendors experience a breach, regulatory notification within 72 hours (where required) and individual notification when high-risk to individuals.
Common pitfalls
- Treating GDPR as a one-time project. Initial compliance work is finite; ongoing operations (DSARs, vendor onboarding, breach handling) are continuous.
- Wrong lawful basis selection. Many companies cite “consent” when “legitimate interests” is the actual basis. Wrong basis means the entire processing is unlawful.
- Ignoring transfer mechanism updates. SCCs were updated in 2021; many existing DPAs still reference the 2010 versions. Re-paper required.
- No DSAR response process. When the first DSAR arrives, teams without process scramble. Build the playbook before the request.
- Missing legal-privilege exemption analysis. Privileged attorney-client communications can be exempt from DSAR disclosure; without analysis, teams over-disclose or under-disclose.
- Conflating GDPR with EU AI Act. Different regimes, different obligations, both applying when AI processes personal data.
Related
- DPA checklist — vendor contract terms required by GDPR
- EU AI Act for legal teams — adjacent regulatory regime that intersects
- Vendor due diligence workflow — process where GDPR vendor compliance gets checked
- What is Legal Ops? — function that owns GDPR operations alongside privacy/DPO