The GDPR Essential Collection
Foreword by Robert Bateman:
Few laws divide opinion like the GDPR. The EU's best-known regulation has changed how thousands of organisations do business and provided stronger rights for hundreds of millions of people.
But the law has also caused significant disruption.
Some companies are feeling the walls close in as they cling to intrusive, data-hungry practices. But others—despite investing considerable time and money into trying to comply with the law—still find the rules hard to navigate.
I've been writing about the GDPR for around seven years, and I've covered every aspect in considerable depth. The deeper you go, the more complicated the law can seem. And with new regulatory decisions and court judgments arriving every week, the complexity is only growing.
But if you write enough words on the subject, it becomes possible to explain the GDPR's rules and principles in an accessible and practical way.
These articles provide GDPR guidance for organisations that want to get data protection and privacy right. Integrating these concepts into the core of your business can bring huge benefits and create long-term resilience. But you'll need a clear understanding of how and why your company collects personal data—and whether your operations meet the GDPR's requirements.
Don't let anyone tell you that data protection and privacy are simple. Illegal use of personal data is common in the data-driven online economy. Virtually every internet user is tracked, profiled, and commoditised daily, often without their knowledge and usually without their consent.
But the tide is turning. With new privacy laws and digital regulations passing every year, businesses can gain a competitive advantage by taking a proactive approach to data protection. Plus—respecting people's rights and privacy is the right thing to do.
Robert is an expert in privacy, data protection, and tech policy, known for his in-depth research, approachable writing, and interviews with industry leaders. His work spans GDPR, AI regulation, digital rights, and security, making him a trusted guide in navigating the complexities of data and technology regulations worldwide.

How (and Whether) GDPR Enforcement Works
Is GDPR enforcement working? This article explores the GDPR’s enforcement mechanisms and considers the differing approaches of regulators across Europe.

GDPR: How and When to Use Data Transfer Derogations
The GDPR provides strict rules dictating how and when personal data can be transferred to a person in a country outside of Europe

Is Google Analytics Now Legal in the EU? Not Necessarily…
EEA companies can transfer data to companies under the EU-US Data Privacy Framework. Is Google Analytics legal then?

Frequently Asked Questions about the New EU-US Data Privacy Framework
Can European organisations trust the EU-US Data Privacy Framework? Is it wise to rely on EU-US DPF in the long term?

Content Delivery Networks (CDNs) and the GDPR
Is your global Content Delivery Network GDPR Compliant? The answer might be more complicated than you think!

Data Protection By Design and By Default: How It Works In Practice
Many GDPR fines arise from organizations failing to implement Data Protection By Design and By Default correctly. Using Microsoft 365? You might have failed!

Three Lessons on Subject Access Requests From the CJEU in 2023
The right of access existed decades before the GDPR, but the CJEU is still answering questions about how it works.

How to Record Consent Under GDPR
You must be able to demonstrate that you’ve obtained their consent. Learn how to do it in a compliant way.

Dark Patterns: 10 Examples of Manipulative Consent Requests
While not always illegal, "Dark patterns" are deceptive user interfaces that trick people into acting against their best interests.

What Is Consent Under the GDPR?
Do you need to ask for consent? Should you? The subject of collecting consent under GDPR is not trivial. We can help.

Is Google reCAPTCHA GDPR Compliant?
The French data protection authority, CNIL, sanctioned a company for using Google reCAPTCHA. Does it mean that reCAPTCHA is illegal?

What is Legitimate Interests Under the GDPR
Legitimate interests might be the GDPR’s most poorly understood concept. Let's try to clarify with some concrete examples.

Email Marketing in Europe: How to Comply With the Law
Good email marketing campaign can greatly benefit your company and your customers but when is sending email legal? Do you prior need a consent?

Is Google Analytics Illegal Under the GDPR? What You Need to Know
DPAs across Europe express their dissatisfaction with Google Analytics and its insufficient privacy controls.

Standard Contractual Clauses: The Definitive Guide
Can you rely on SCCs for international data transfer? What's impact of Schrems II on SCCs? Can You use SCC to secure data transfer to AWS?

What Is the Purpose of a Privacy Impact Assessment?
A privacy impact assessment mitigates the risks of using personal data. It is vital for businesses to reduce risk.