The General Data Protection Regulation (GDPR) is a comprehensive data privacy law adopted by the European Union that sets strict standards for how organizations must collect, store, process, and protect personal data. The GDPR came into effect on May 25, 2018, replacing the earlier 1995 Data Protection Directive. Its main goals are to give individuals in the EU greater control over their personal information and to harmonize data protection laws across all member states..
In practice, the GDPR imposes new requirements on organizations worldwide if they target or process data related to people in the EU. Non-compliance can result in significant fines, so understanding what the GDPR covers is essential for any organization handling personal data.
History and Scope
Data protection has long been recognized as a human right in Europe. For example, the right to privacy is enshrined in the 1950 European Convention on Human Rights. As digital technology and the Internet expanded rapidly, the EU saw the need for a modern framework to protect personal data. The GDPR was proposed in 2012, passed by the European Parliament in 2016, and became enforceable on May 25, 2018, replacing the older Data Protection Directive. Because it is a regulation, it applies directly across all EU member states without needing separate national laws.
The GDPR has a broad scope. It applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is located. For example, a company in the United States that offers goods or services to customers in Europe, or tracks their behavior online, must comply with the GDPR. Likewise, each EU country has its own independent supervisory authority (such as the CNIL in France or the Data Protection Commission in Ireland) to enforce the GDPR. Organizations must be aware of the rules where they operate to ensure compliance in practice.
Key Definitions
- Personal data: Any information that identifies an individual, either directly or indirectly. This includes obvious data like names and email addresses, as well as location data, online identifiers (such as IP addresses), and sensitive information like health or financial records.
- Data subject: The individual whose personal data is being processed. For example, a customer, employee, or website visitor.
- Data controller: The organization or entity that determines the purposes and means of processing personal data. For instance, a retail company deciding what customer information to collect for marketing would be the data controller.
- Data processor: A third-party service or party that processes personal data on behalf of the data controller. For example, a cloud hosting provider or payroll service that handles data according to the controller’s instructions.
- Processing: Any operation on personal data, whether automated or manual, including collecting, recording, organizing, storing, using, modifying, sharing, or deleting data.
Key Principles
The GDPR establishes seven core principles of data protection that all personal data processing must follow:
- Lawfulness, fairness, and transparency: Personal data must be processed lawfully (for example, with user consent or contractual necessity), fairly, and in a transparent manner. Individuals should be clearly informed about how their data will be used.
- Purpose limitation: Data must be collected for specific, explicit, and legitimate purposes and not further processed in ways that are incompatible with those purposes.
- Data minimization: Organizations should collect only the minimum amount of personal data necessary for the intended purpose.
- Accuracy: Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted without delay.
- Storage limitation: Data should not be kept longer than necessary for its original purpose. Once it is no longer needed, it should be securely deleted or anonymized.
- Integrity and confidentiality: Personal data must be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, loss, or damage (for example, using encryption or access controls).
- Accountability: The data controller is responsible for demonstrating compliance with all the above principles. This includes keeping records of processing activities and, where appropriate, conducting impact assessments.
Data Subject Rights
The GDPR grants individuals a range of rights over their personal data. Organizations must respect these rights and make it easy for people to exercise them. The table below summarizes key data subject rights and their meanings:
| Right | Description |
|---|---|
| Right to be informed | Individuals have the right to know when and why their data is being processed. Organizations must provide clear information (usually via a privacy notice) about what data is collected, how it will be used, and who will have access. |
| Right of access | Individuals can obtain confirmation that their data is being processed and can request a copy of their personal data. For example, a user can ask a company for all the information it holds about their account and usage history. |
| Right to rectification | Individuals can have inaccurate personal data corrected. If a person’s address or contact details change, they can require the organization to update its records accordingly. |
| Right to erasure (right to be forgotten) | Individuals can request deletion of their data when it is no longer needed for its original purpose, if they withdraw consent, or if the data was unlawfully processed. For example, a subscriber could ask a newsletter service to delete all of their personal information and account. |
| Right to restrict processing | Individuals can ask an organization to stop or limit processing of their data. For instance, a person may allow their data to be stored but not used for profiling or marketing. |
| Right to data portability | Individuals can receive their personal data in a structured, common format and transfer it to another organization. For example, a social network user can request an export of their profile and contacts to move to a different platform. |
| Right to object | Individuals can object to certain types of processing, such as direct marketing or processing based on legitimate interests. Upon objection, the organization must stop using the data for those purposes. |
| Rights related to automated decision-making | Individuals have the right not to be subject to decisions made solely by automated systems (including profiling) if those decisions have legal or significant effects on them. When this right applies, organizations must ensure there is human oversight or must obtain explicit consent. |
These rights ensure that people maintain control over their personal data. For example, under the GDPR an individual who signed up for a free online service can withdraw their consent at any time, requiring the company to delete their data from its systems. Organizations must implement processes to handle access, correction, deletion, and other requests from users.
Controllers and Processors
Under the GDPR, a data controller determines why and how personal data is processed, while a data processor acts on behalf of the controller. Both roles have specific obligations: the controller must choose secure processors and ensure overall compliance, while the processor must follow the controller’s instructions and implement appropriate security measures for the data. For example, if a travel agency (the controller) uses a cloud-based booking system (the processor) to store customer reservation data, both parties must ensure that data is handled and protected according to GDPR requirements.
Examples in Action
- Healthcare scenario: If a patient in France visits a doctor and their medical records are stored on an electronic system, that information is personal data under the GDPR. The healthcare provider must have a lawful basis (such as the patient’s consent or necessity for treatment) to process this data and must protect it with strong security measures. The patient can request to see their medical data or have it corrected if it is wrong.
- Social media scenario: A social media company collecting user profiles from across the world must include a clear privacy notice for EU users. It must explain what data it collects (for example, posts, location, and browsing habits), why it is collected, and how it will be used. If a user in Spain asks to have their account data deleted, the company must comply unless it needs to retain some data for a legal reason (for instance, to comply with a court order).
- App development example: When a company launches a new mobile app that collects location data, the GDPR’s “privacy by design” principle requires it to consider privacy from the start. The app should collect only the location information it truly needs, secure the data (for example, by encryption), and inform users clearly about the data collection. If the company later decides to use location data for a new purpose, it must update the privacy information and may need to get new consent from users.
GDPR Enforcement and Accountability
The GDPR is enforced by independent data protection authorities in each EU country. These authorities can investigate complaints and impose penalties on organizations that violate GDPR requirements. While the possible fines are very large, the main goal of the GDPR is to protect individual privacy and build trust. By understanding and following GDPR rules, organizations demonstrate respect for user rights and avoid legal and financial risks.