What it means
GDPR is the EU's data protection regulation, in force since 2018. It governs how organisations collect, store, use, transfer, and protect personal data of people inside the EU. The law applies based on the data subject's location, not the business's, so a Singapore agency processing EU customer data must comply.
Core obligations: lawful basis for processing (often consent or legitimate interest), clear privacy notices, data subject rights (access, correction, deletion, portability), breach notification within 72 hours, and Data Protection Officer designation for organisations doing certain types of processing.
Why it matters
GDPR has teeth: fines up to 4 percent of global annual revenue or EUR 20 million, whichever is higher. Even small businesses outside the EU can be liable if they market to EU residents.
For WhatsApp marketing specifically, GDPR is one of the reasons Meta blocks Conversions API for EU/UK/Japan audiences: compliance friction is high. If you are marketing to those regions, the tracking architecture has to be designed around GDPR from day one.
Example
A SaaS brand based in Singapore signs up customers from Germany. Even though the company has no EU presence, GDPR applies to the German customers' data. The brand updates its privacy policy, adds a clear cookie consent banner, sets up a data-subject-request workflow, and hashes all email addresses before transmission to ad platforms. Compliant operation, no fines.