The General Data Protection Regulation (GDPR) is a comprehensive privacy law that governs how organizations collect, process, and store personal data of individuals in the European Union. Since its enforcement in May 2018, GDPR has become the global benchmark for data protection legislation and influences privacy regulations worldwide.
Who GDPR applies to
GDPR has broad territorial scope. It applies to your organization if:
Establishment in the EU
You have any establishment (office, subsidiary, or branch) in the EU, regardless of whether the data processing takes place there.
Offering goods or services to EU residents
You offer goods or services to individuals in the EU, even if your organization is based elsewhere. This includes free services if you’re targeting EU users.
Monitoring behavior of EU residents
You monitor the behavior of individuals in the EU—such as tracking website visitors or profiling users for advertising purposes.
GDPR applies based on where the individuals are located, not their citizenship. An American tourist in Paris has GDPR protections while in the EU.
Key definitions
Understanding GDPR requires familiarity with its specific terminology:
| Term | Definition |
|---|
| Personal data | Any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, location data, and online identifiers. |
| Data subject | The individual whose personal data is being processed. |
| Data controller | The entity that determines the purposes and means of processing personal data—essentially, the decision-maker about what data to collect and why. |
| Data processor | An entity that processes personal data on behalf of a controller. Processors act on instructions from controllers. |
| Processing | Any operation performed on personal data, including collection, storage, use, transmission, and deletion. |
Organizations often act as both controllers and processors depending on the context. When you decide what customer data to collect, you’re a controller. When you process data on behalf of a client according to their instructions, you’re a processor.
Core principles
GDPR establishes seven principles that govern all personal data processing:
Lawfulness, fairness, and transparency
Processing must have a valid legal basis, must not be deceptive or harmful, and individuals must be informed about how their data is used.
Purpose limitation
Data must be collected for specified, explicit, and legitimate purposes. You cannot repurpose data for unrelated uses without additional consent or legal basis.
Data minimization
Only collect and process data that is necessary for your stated purposes. Avoid collecting data “just in case” it might be useful later.
Accuracy
Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted without delay.
Storage limitation
Data should be kept only as long as necessary for the purposes it was collected. Establish retention periods and delete data when no longer needed.
Integrity and confidentiality
Data must be processed securely, with appropriate technical and organizational measures to protect against unauthorized access, loss, or damage.
Accountability
Organizations must demonstrate compliance with all principles. This means maintaining records, conducting assessments, and being able to prove you’re following the rules.
Data subject rights
GDPR grants individuals significant control over their personal data:
Individuals must receive clear information about who is processing their data, why, and how—typically through privacy notices.
Right of access
Individuals can request a copy of their personal data and information about how it’s being processed.
Right to rectification
Individuals can request correction of inaccurate or incomplete personal data.
Right to erasure (“right to be forgotten”)
Individuals can request deletion of their personal data in certain circumstances, such as when the data is no longer necessary or when they withdraw consent.
Right to restrict processing
Individuals can request that processing be limited while disputes about accuracy or lawfulness are resolved.
Right to data portability
Individuals can receive their data in a structured, machine-readable format and transfer it to another controller.
Right to object
Individuals can object to processing based on legitimate interests or for direct marketing purposes.
Individuals can request human review of significant decisions made solely by automated processing, including profiling.
Legal bases for processing
GDPR requires a valid legal basis for any processing of personal data. The six legal bases are:
| Legal basis | When to use |
|---|
| Consent | The individual has given clear, informed consent for a specific purpose. Must be freely given, specific, informed, and unambiguous. |
| Contract | Processing is necessary to fulfill a contract with the individual or to take steps at their request before entering a contract. |
| Legal obligation | Processing is necessary to comply with a legal requirement. |
| Vital interests | Processing is necessary to protect someone’s life. Rarely applicable in commercial contexts. |
| Public task | Processing is necessary to perform an official function or task in the public interest. Primarily for public authorities. |
| Legitimate interests | Processing is necessary for your legitimate interests, provided these aren’t overridden by the individual’s rights. Requires a balancing test. |
Consent is not always the best legal basis. If you cannot genuinely offer a choice or would continue processing regardless of consent, consider whether contract or legitimate interests is more appropriate.
Compliance requirements
Organizations subject to GDPR must implement various measures:
Privacy notices
Provide clear, accessible information about your data processing activities at the point of data collection.
Records of processing
Maintain detailed records of all processing activities, including purposes, data categories, recipients, and retention periods.
Data Protection Impact Assessments (DPIAs)
Conduct assessments for high-risk processing activities, such as large-scale profiling or processing sensitive data.
Data Protection Officer (DPO)
Appoint a DPO if you’re a public authority, conduct large-scale monitoring, or process sensitive data at scale.
Data Processing Agreements (DPAs)
Establish written contracts with any processors that handle personal data on your behalf, specifying their obligations.
Breach notification
Report personal data breaches to supervisory authorities within 72 hours and notify affected individuals when there’s high risk to their rights.
Cross-border transfers
Implement appropriate safeguards when transferring personal data outside the EU, such as Standard Contractual Clauses (SCCs) or binding corporate rules.
Enforcement and penalties
GDPR is enforced by Data Protection Authorities (DPAs) in each EU member state. Penalties for non-compliance can be significant:
- Lower tier: Up to 10 million EUR or 2% of global annual turnover for violations of technical requirements
- Upper tier: Up to 20 million EUR or 4% of global annual turnover for violations of core principles and data subject rights
Beyond fines, DPAs can issue warnings, reprimands, and orders to cease processing—which can effectively shut down data-dependent business operations.
Related content
