In This Guide
What is GDPR?
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that came into effect on May 25, 2018. It replaced the 1995 Data Protection Directive and represents the most significant change to EU data protection law in over two decades.
GDPR aims to:
- Give individuals control over their personal data
- Simplify the regulatory environment for international business
- Harmonize data protection laws across EU member states
- Strengthen and unify data protection for individuals within the EU
GDPR applies globally to any organization that processes personal data of EU residents, regardless of where the organization is located. This extraterritorial scope is one of GDPR's most significant features.
Who Does GDPR Apply To?
Organizations Established in the EU
Any organization with an establishment in the EU that processes personal data, regardless of whether the processing takes place in the EU.
Organizations Outside the EU (Article 3)
Organizations not established in the EU that process personal data of EU residents when:
- Offering goods or services: Free or paid, to EU data subjects
- Monitoring behavior: Tracking behavior that takes place within the EU
Who is NOT Covered
- Purely personal or household activities
- Law enforcement and national security (separate frameworks apply)
- Organizations with no EU presence and no EU customers
Key Terms Explained
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Data Subject | An identified or identifiable natural person whose data is processed |
| Processing | Any operation performed on personal data (collection, storage, use, deletion) |
| Controller | Entity that determines the purposes and means of processing |
| Processor | Entity that processes personal data on behalf of the controller |
| Special Categories | Sensitive data: race, health, biometrics, religion, political opinions |
The Seven GDPR Principles
Article 5 establishes the core principles for processing personal data:
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner.
2. Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes.
3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary.
4. Accuracy
Personal data must be accurate and kept up to date.
5. Storage Limitation
Data must be kept no longer than necessary for the processing purposes.
6. Integrity and Confidentiality
Personal data must be processed securely with appropriate protection.
7. Accountability
The controller must demonstrate compliance with all principles.
Data Subject Rights
- Right to be informed: Know how data is being used
- Right of access: Obtain a copy of personal data
- Right to rectification: Have inaccurate data corrected
- Right to erasure: Have data deleted ("right to be forgotten")
- Right to restrict processing: Limit how data is used
- Right to data portability: Receive data in machine-readable format
- Right to object: Object to processing, including direct marketing
- Rights related to automated decisions: Not be subject to purely automated decisions
Key Organizational Obligations
Documentation
- Records of Processing Activities (RoPA)
- Privacy notices and policies
- Data Processing Agreements
- Data Protection Impact Assessments (DPIAs)
Security
- Appropriate technical and organizational measures
- Data protection by design and by default
- Regular testing of security measures
Breach Notification
- Notify authority within 72 hours
- Notify individuals if high risk
- Document all breaches
Penalties
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Lower | EUR 10M or 2% global turnover | Technical/organizational obligations |
| Upper | EUR 20M or 4% global turnover | Processing principles, rights, transfers |