The General Data Protection Regulation โ commonly known as GDPR โ is one of the most significant pieces of legislation affecting how businesses handle personal data. Since it took effect in May 2018, it has reshaped data protection practices not just in Europe, but around the world. If your business collects any data from European residents, GDPR likely applies to you.
What GDPR Is and Where It Comes From
GDPR is a regulation enacted by the European Union that establishes rules for how organizations collect, store, use, and protect personal data of individuals within the EU. It replaced the 1995 Data Protection Directive and became enforceable on May 25, 2018.
The regulation was created with a dual purpose: to give individuals more control over their personal data, and to create a consistent legal framework across all EU member states. Before GDPR, each EU country had its own data protection laws, creating a patchwork of regulations that made compliance difficult for businesses operating across borders.
GDPR is notable for its extraterritorial reach. It applies not just to companies based in the EU, but to any organization worldwide that offers goods or services to EU residents or monitors their behavior. That means a small business in the United States selling products online to European customers is subject to GDPR if it collects any personal data โ names, email addresses, IP addresses, or cookies.
Who GDPR Applies To
GDPR distinguishes between two types of organizations: data controllers and data processors. A data controller determines the purposes and means of processing personal data. A data processor processes personal data on behalf of a controller. Both have obligations under GDPR, though controllers bear the primary responsibility.
The regulation applies to organizations that meet at least one of these criteria:
- They have an establishment in the EU and process personal data as part of their activities
- They offer goods or services to individuals in the EU (regardless of whether payment is required)
- They monitor the behavior of individuals in the EU (for example, through website tracking)
There is no threshold based on company size. Even small businesses and sole traders can be subject to GDPR if they process personal data of EU residents. The only exemption is for processing carried out by individuals purely for personal or household activities โ a home address book, for instance.
What Counts as Personal Data
GDPR's definition of personal data is broad. It includes any information relating to an identified or identifiable natural person. This goes far beyond just names and addresses.
Personal data under GDPR includes:
- Basic identifiers: name, address, phone number, email
- Online identifiers: IP address, cookie data, device IDs
- Health information: medical conditions, genetic data, biometric data
- Financial information: bank details, payment card information
- Location data: GPS coordinates, travel patterns
- Employment information: job title, employer, work email
- Behavioral data: purchasing history, browsing habits, preferences
- Opinions and beliefs: political views, religious beliefs, union membership
Special category data โ previously called sensitive personal data โ gets extra protection. This includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, health data, sex life, sexual orientation, genetic data, and biometric data. Processing special category data is generally prohibited unless specific exceptions apply.
The Seven Key Principles
GDPR is built on seven core principles that guide all data processing activities. These are found in Article 5 and form the foundation of compliance:
1. Lawfulness, fairness, and transparency. Data must be processed on a valid legal basis. Organizations must be transparent about how they use data.
2. Purpose limitation. Data should only be collected for specified, explicit, and legitimate purposes. It cannot be repurposed without additional consent or a lawful basis.
3. Data minimization. Only collect data that is adequate, relevant, and limited to what is necessary for the intended purpose.
4. Accuracy. Personal data must be kept accurate and up to date. Inaccurate data should be erased or rectified without delay.
5. Storage limitation. Data should not be kept longer than necessary. Organizations need clear retention policies.
6. Integrity and confidentiality. Appropriate security measures must protect data against unauthorized access, loss, or destruction.
7. Accountability. Organizations must be able to demonstrate compliance with all the above principles.
Lawful Bases for Processing
Every data processing activity needs a lawful basis. GDPR lists six possible bases in Article 6:
Consent is one of the most commonly used bases. For consent to be valid, it must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and bundled consents don't meet the standard. People must be able to withdraw consent as easily as they gave it.
Contractual necessity applies when processing is needed to fulfill a contract with the individual โ for example, processing a delivery address to ship an order.
Legal obligation covers processing required by law โ tax authorities requiring payroll data, for instance.
Legitimate interests allows processing when an organization has a genuine, legitimate reason that isn't overridden by individual rights. This requires a balancing test. Direct marketing often relies on this basis, though individuals have the right to object.
Vital interests covers processing needed to protect someone's life โ rarely applicable for most businesses.
Public task applies to organizations exercising official authority or carrying out tasks in the public interest.
Individual Rights Under GDPR
GDPR grants individuals eight specific rights regarding their personal data:
- Right to be informed: People must be told what data is collected about them and how it's used
- Right of access: Individuals can request a copy of their data and information about how it's processed
- Right to rectification: People can have inaccurate data corrected
- Right to erasure: Also called the "right to be forgotten" โ individuals can request deletion of their data in certain circumstances
- Right to restrict processing: People can limit how their data is used
- Right to data portability: Individuals can receive their data in a structured, commonly used format and transfer it to another provider
- Right to object: People can object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making: Individuals can object to decisions made solely by automated processing, including profiling
Organizations typically have one month to respond to data subject requests, though complex requests can be extended by two months with notification. These requests must be fulfilled free of charge in most cases.
Breach Notification
GDPR has strict requirements for data breach notification. If a breach occurs that is likely to result in a risk to individuals' rights and freedoms, it must be reported to the relevant supervisory authority within 72 hours of becoming aware of it. This is a firm deadline โ organizations that delay risk significant reputational and legal consequences.
If the breach is high-risk โ meaning it's likely to result in a high risk to individuals' rights โ affected individuals must also be notified directly and without undue delay. The notification must explain the nature of the breach and provide practical steps individuals can take to protect themselves.
Penalties for Non-Compliance
GDPR has one of the most significant penalty regimes in global data protection law. Organizations can face fines of up to โฌ20 million or 4% of annual global turnover, whichever is higher, for the most serious violations. Less serious violations can result in fines of up to โฌ10 million or 2% of annual turnover.
Beyond financial penalties, organizations face reputational damage, loss of customer trust, and potential civil litigation from affected individuals. Several high-profile fines in the years since GDPR took effect โ including multi-billion euro penalties against major technology companies โ demonstrate that enforcement is active and substantial.
Steps Toward Compliance
If your organization processes data from EU residents, here are practical steps to work toward compliance:
First, conduct a data audit. Document what personal data you collect, where it comes from, how it's used, who it's shared with, and how long it's retained. This inventory is essential for every other compliance step.
Second, identify your lawful bases. For each type of data processing, determine which legal basis applies and document your reasoning. Your basis for processing marketing emails will differ from your basis for processing transaction data.
Third, update your privacy notices. People must be informed clearly about what data you collect and why before you collect it. This means updating website privacy policies, app disclosures, and any forms where you collect information.
Fourth, implement appropriate security measures. The specific measures will depend on the nature of your data and your organization's resources, but technical safeguards and access controls are minimum requirements.
Fifth, establish processes for handling data subject requests. Build workflows for verifying requests, locating data, and responding within the one-month timeframe.
Sixth, if your processing is high-risk โ for example, large-scale profiling or processing special category data โ conduct a Data Protection Impact Assessment before you begin.
Seventh, if you use third-party service providers to process data on your behalf โ cloud storage, email marketing platforms, analytics tools โ ensure you have proper Data Processing Agreements in place with each of them.
GDPR in Practice: A Realistic View
GDPR compliance is not a one-time project. It's an ongoing commitment. Privacy laws evolve, new technologies create new data processing scenarios, and organizations change how they operate. A compliance program that worked last year might not cover this year's new product feature or data processing partnership.
The regulation is also not a perfect solution. Critics note that some of its requirements โ particularly around consent for cookies and complex privacy policies โ have created confusing user experiences. Many websites now show lengthy cookie banners that few users actually read. This doesn't mean GDPR is wrong, but it does suggest that compliance needs to be thoughtful, not just checkbox-driven.
The best approach is to genuinely respect individuals' privacy as a core business value, not just a legal obligation. Organizations that treat data protection as an integral part of their culture โ where privacy by design guides product decisions, where data minimization is the default, where transparency with customers is genuine โ are better positioned than those who view GDPR purely as a compliance burden.
For most organizations, achieving full GDPR compliance requires expertise. Privacy laws intersect with technology, contracts, employment law, and industry-specific regulations. Working with a qualified data protection professional โ whether an in-house Data Protection Officer or an external consultant โ is usually necessary for anything beyond basic compliance measures.