What Is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law enacted by the European Union and effective since May 2018. It governs how organizations collect, store, process, and share the personal data of EU and EEA residents — regardless of where the organization itself is located. If your website has EU visitors, GDPR likely applies to you.

GDPR replaced the outdated 1995 EU Data Protection Directive and introduced significantly stronger rights for individuals and heftier penalties for organizations that fail to comply.

The Seven Core Principles of GDPR

GDPR is built on seven foundational principles that govern how personal data must be handled:

  1. Lawfulness, fairness, and transparency: Data must be processed legally, fairly, and transparently.
  2. Purpose limitation: Data collected for one purpose cannot be repurposed without a new legal basis.
  3. Data minimization: Only collect the data you actually need.
  4. Accuracy: Personal data must be kept accurate and up to date.
  5. Storage limitation: Data should not be kept longer than necessary.
  6. Integrity and confidentiality: Data must be processed securely — this directly links GDPR to cybersecurity practices.
  7. Accountability: Organizations must be able to demonstrate compliance, not just claim it.

Individual Rights Under GDPR

GDPR grants EU residents eight enforceable rights over their personal data:

  • Right to be informed: Know what data is collected and why.
  • Right of access: Request a copy of all data held about you (Subject Access Request).
  • Right to rectification: Have inaccurate data corrected.
  • Right to erasure ("Right to be forgotten"): Request deletion of personal data under certain conditions.
  • Right to restrict processing: Limit how your data is used.
  • Right to data portability: Receive your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interests or direct marketing.
  • Rights around automated decision-making: Not be subject to solely automated decisions with significant effects.

Legal Bases for Processing Data

Under GDPR, every processing activity must have a valid legal basis. The six available bases are:

Legal BasisWhen It Applies
ConsentThe individual has clearly opted in
ContractProcessing is necessary to fulfill a contract
Legal obligationRequired by law
Vital interestsTo protect someone's life
Public taskExercising official authority
Legitimate interestsBalanced against individual rights

Practical Compliance Steps for Organizations

GDPR compliance is ongoing, not a one-time checkbox. Key steps include:

  • Data mapping: Audit and document all personal data you collect, where it's stored, and who has access.
  • Privacy notices: Create clear, plain-language privacy policies that explain processing activities.
  • Consent mechanisms: Implement granular, unambiguous opt-in consent for marketing and non-essential cookies.
  • Data Protection Officer (DPO): Appoint a DPO if you process data at large scale or handle sensitive categories.
  • Breach notification: Report data breaches to supervisory authorities within 72 hours of discovery.
  • Data Processing Agreements (DPAs): Ensure contracts with third-party processors include GDPR-required terms.
  • Privacy by Design: Build data protection into systems and processes from the start, not as an afterthought.

Penalties for Non-Compliance

GDPR introduced a tiered penalty structure. Serious violations — such as insufficient legal basis for processing or violations of core principles — can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher. Less severe infringements carry fines of up to €10 million or 2% of turnover. Regulators across the EU have issued significant fines since enforcement began, making GDPR compliance a genuine business risk, not just a compliance box-ticking exercise.