What is the GDPR? Simple guide to EU data protection

If your organization collects, uses, or tracks personal data from people in the EU, the General Data Protection Regulation (GDPR) applies. It doesn't matter where your company is based: this European privacy law has a global reach, reshaping how businesses handle personal information.

Adopted in 2016 and enforced since May 2018, the GDPR sets clear rules on what qualifies as personal data, how it can be used, and what rights individuals have over their information.

This guide covers what the GDPR is, who it applies to, and what businesses need to know to stay compliant.

What is the GDPR in simple terms?

The GDPR is an EU privacy law that protects the personal data of people in the EU. This includes any information that can identify someone directly or indirectly, such as names, email addresses, IP addresses, or cookies.

The GDPR gives people more control over their data. It also requires businesses to process this data fairly, explain why they’re collecting it, and keep it secure. It replaced older EU data rules when it took effect on May 25, 2018.

Why the GDPR was introduced

Before the GDPR, data protection in the EU was based on the 1995 Data Protection Directive. Back then, the internet was new, and companies handled far less personal data. As technology advanced and online services became part of daily life, it was clear that those old rules were no longer enough.

In 2012, the European Commission proposed new legislation to strengthen privacy rights and adapt to the digital economy. After several years of discussion, the GDPR was adopted in 2016 and came into force in 2018.

Unlike the older directive, it applies directly in every EU country, setting consistent standards and giving people stronger rights over their personal information.

Privacy matters more than ever in a connected world, and laws like the GDPR are designed to put users back in control of their data.

Who the GDPR applies to

The GDPR applies to any organization that collects, uses, or stores the personal data of people in the EU, regardless of whether the company is based inside or outside the European Economic Area (EEA). The law follows the data, not the company’s location.

The regulation defines two key roles:

• Data controller: Decides why and how personal data is processed.
• Data processor: Handles data on behalf of the controller, such as cloud providers or payment processors.

Businesses in the EEA

The EEA covers the 27 EU member states plus Iceland, Liechtenstein, and Norway. Any organization established within the EEA must comply with the GDPR when processing personal data, even if that processing happens outside Europe. For example, a company based in Spain that uses servers in the U.S. still has to follow GDPR rules.

Businesses outside the EEA

Being outside the EEA doesn’t exempt an organization from the GDPR. If your business interacts with the personal data of EU residents in the following ways, the law still applies:

• Offers goods or services to people in the EU, whether for free or for a fee.
• Monitors the behavior of people in the EU, such as tracking online activity through cookies or profiling.

For example, an education platform based in the U.S. but targeting university students in Spain or Portugal must comply with the GDPR. And any company outside the EEA that acts as a data processor for a company within the EEA must comply, too.

If a service is only incidentally accessible from within the EU, without specifically targeting EU users or handling their personal data, it may fall outside the GDPR’s scope. But if a company makes no clear effort to exclude EU residents, regulators could still decide that the GDPR applies.

Also, there are a few specific types of data that are exempt from the regulation, including data collected for national security purposes, law enforcement purposes, or purely for personal domestic reasons.

What counts as personal data under the GDPR?

Under the GDPR, personal data is any information that relates to a living person who can be identified directly or indirectly. Examples include:

• Full names
• Home addresses
• Email addresses with a person’s name
• National ID or passport numbers
• IP addresses
• Cookie IDs
• Advertising identifiers on devices
• Medical records

The GDPR also distinguishes between pseudonymized data, which can still be linked back to someone, and truly anonymized data, which cannot. Only the latter falls outside the scope of the regulation.

Additionally, the GDPR identifies special categories of personal data, such as racial or ethnic origin, religious beliefs, political opinions, and biometric data. Processing this sort of information is prohibited except under very specific circumstances because of the higher risks involved.

What are the legal bases for processing personal data?

The GDPR doesn’t let organizations process personal data just because they want to. There needs to be a clear, legal reason, and the regulation defines six options:

• Consent: When someone has given clear permission for their data to be used. Consent must be freely given, specific, and easy to withdraw. Silence or pre-checked boxes aren’t acceptable.
• Contract: Processing is necessary to fulfill a contract with the individual (for example, processing payment details to complete a purchase).
• Legal obligation: Sometimes, the law requires an organization to process personal data, like when hospitals are required to keep medical records.
• Vital interests: Processing data is necessary to protect someone’s life, such as in a medical emergency.
• Public task: Data processing is necessary to carry out an official duty or task in the public interest (often relevant for government bodies).
• Legitimate interests: Allows organizations to process data if they have a valid reason that doesn’t override the individual’s rights, such as using data to maintain cybersecurity systems.

The 7 main principles of GDPR

The GDPR is built around seven key principles that define how personal data should be handled. These principles set the standards for fairness, security, and accountability when processing data.

1. Lawfulness, fairness, and transparency

This principle dictates that data should only be collected and used for valid reasons allowed by the GDPR, like having the person’s consent or needing the data to provide a service. It also means using data fairly, without misleading people or using their information in ways they wouldn’t expect. Finally, transparency is key: organizations must explain in simple terms what data they’re collecting, why, and how they plan to use it.

2. Purpose limitation

Under the GDPR, personal data can only be collected for a specific, clear purpose. Organizations must tell people why their data is being collected at the time it’s gathered. Once collected, it can’t be used for any reason that isn’t compatible with that original purpose.

3. Data minimization

The GDPR requires organizations to collect only the personal data that’s necessary for a specific purpose. This principle helps limit the amount of data held about someone, reducing risks if that data is ever lost or misused. It keeps data collection focused and relevant.

4. Accuracy

Personal data needs to be correct. If an organization stores information about a person, it must ensure that the data is accurate and updated as needed. If details change or mistakes are found, the organization is responsible for fixing them. Keeping data accurate helps avoid errors that could affect people, especially when the information is used to make decisions about them.

5. Storage limitation

Organizations shouldn’t keep personal data longer than they need it. Once the data has served its purpose, it should be deleted or anonymized. This principle makes sure that data isn’t kept “just in case” without a clear reason. It also helps reduce the risks linked to storing information unnecessarily, like data breaches or privacy issues.

6. Integrity and confidentiality

Keeping personal data safe is essential. Organizations need to protect it from being seen, stolen, or changed by anyone who shouldn’t have access. This means having good security in place when it comes to technology and data handling.

7. Accountability

Accountability means that organizations are not only expected to follow the GDPR rules; they also have to prove it. This involves showing that they’ve taken relevant steps to protect personal data, like keeping records of how they process it, training staff, and putting privacy policies in place.

Data rights for users under the GDPR

Right to be informed

You have the right to know when an organization is collecting your personal data and why. This means companies must be clear from the start about what data they’re collecting, how they plan to use it, and who they might share it with.

The information should be easy to understand so you can make an informed decision about whether you’re comfortable sharing your data.

Right to access

This means you can ask any organization what personal data they have about you. You can request a copy of the data, along with details about how it’s being used and who it’s shared with. Organizations are required to provide this information within a reasonable time.

However, this right is not absolute; it must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property.

Right to rectification

If any of your personal data held by an organization is wrong or incomplete, you have the right to ask for it to be corrected. Whether it’s a misspelled name, an outdated address, or missing information, the organization must fix it.

Right to erasure (right to be forgotten)

You can ask an organization to delete your personal data when there’s no longer a good reason for them to keep it. This is often called the "right to be forgotten." It applies when the data is no longer needed for the purpose it was collected for, or when the organization has processed your data unlawfully.

However, this right isn’t absolute either, as companies can keep the data if they have a legal obligation to retain it or on other valid grounds.

Right to restrict processing

This right lets you ask an organization to limit how they use your personal data. You might request this if you believe the data is inaccurate, if it’s been processed unlawfully, or if the organization no longer needs it but you want them to keep it for a legal claim. While the restriction is in place, the organization can store the data but can’t use it for other purposes unless you give permission or there are legal reasons to do so.

Right to data portability

This right allows you to get a copy of your personal data in an accessible format. You can also ask for the data to be sent directly to another organization if it’s technically possible. The idea is to give you more control over your information, making it easier to switch services or move your data somewhere else without starting from scratch.

Right to object

You have the right to object to how your personal data is being used, especially when it’s for direct marketing purposes. If you make an objection, the organization must stop using your data unless they can show that they have a strong, legitimate reason to keep processing it.

Rights related to automated decision-making

You also have the right to challenge decisions made about you entirely by automated processes, especially if the decision has a significant effect, like being approved for a loan or a job. The GDPR gives you the right to ask for human involvement in these cases; you can request that someone review the decision instead of leaving it solely to algorithms or automated systems.

What is consent under the GDPR and how is it obtained?

Consent under the GDPR must meet strict standards to be valid. For it to count, your consent must be:

• Freely given: You need to have a real choice, without pressure or negative consequences for saying no.
• Specific and informed: The organization must tell you who they are, what data they’re collecting, why they need it, and how it’ll be used.
• Unambiguous: Consent must come from a clear, affirmative action, like ticking a box or signing a form. Silence or pre-checked boxes don’t count.

People also have the right to withdraw consent at any time, and it should be just as easy as it was to give it. Once withdrawn, the company must stop using your data for that purpose.

For services targeting users under 16, parental consent is usually required, though some EU countries have lowered this threshold to 13.

How businesses can comply with GDPR requirements

There are specific steps every organization should take to stay GDPR-compliant and protect privacy.

Records of processing activities (RoPA)

Article 30 of the GDPR requires companies to document how they handle personal data. These records should cover the reasons for processing, the types of data collected, who it’s shared with, storage periods, and the security measures in place.

Although small businesses might be exempt if their processing is infrequent and low-risk, keeping these records is key to demonstrating GDPR compliance when asked by authorities.

Data protection impact assessments (DPIAs)

When a company plans to process personal data in a way that could pose a high risk to people’s rights and freedoms, it must carry out a DPIA. This is mandatory in cases like using new technologies, monitoring public spaces on a large scale, or extensive processing of special categories of data.

The purpose of a DPIA is to identify and reduce potential risks before any data processing begins. If high risks remain despite the measures taken, the company must consult the Data Protection Authority (the national body in each EU country responsible for enforcing GDPR compliance) before proceeding.

Appointing a Data Protection Officer (DPO)

Some organizations are required to appoint a Data Protection Officer (DPO) under the GDPR. This person is responsible for monitoring how personal data is handled within the company and ensuring that GDPR requirements are followed.You need to appoint a DPO if:

• You regularly or systematically monitor users on a large scale, such as tracking behavior online.
• You process special categories of data, like health, genetic, or biometric data, on a large scale.
• You're a public authority or body (with exceptions for courts or independent judicial authorities).

The DPO can be an employee or an external expert hired through a service contract. Either way, they must operate independently, advising staff, overseeing data protection measures, and acting as the main contact point with data protection authorities.

Data transfer safeguards

When transferring personal data outside the EU, the GDPR requires businesses to ensure that the same level of protection travels with the data. Companies must apply safeguards to keep the data secure and comply with GDPR standards.

There are several approved ways to protect data transfers:

• Adequacy decisions: Data can be sent to countries the EU has determined offer an adequate level of data protection.
• Contractual safeguards: Businesses can include specific clauses in contracts with non-EU recipients to guarantee data protection.
• Derogations: In some cases, transfers are allowed if the individual has given explicit consent or if it’s necessary for contractual reasons.

Security controls and encryption under the GDPR

Organizations must also implement strong security controls to protect personal data from unauthorized access, alteration, or loss. These include technical measures, like encryption, and organizational steps, such as limiting access to authorized personnel only.

Encryption plays a vital role in protecting privacy and freedom in open societies, and it remains one of the most effective tools against data breaches.

Reporting data breaches

If a data breach risks individuals’ rights or freedoms, businesses must notify the relevant Data Protection Authority within 72 hours. If the risk is high, affected individuals must also be informed.

Failing to report a breach within the required timeframe can lead to penalties, so it’s important for businesses to have clear processes in place to detect, assess, and respond to data breaches efficiently.

Employee awareness and training

Compliance with the GDPR depends not just on policies but on how well employees understand and apply them. Staff need clear guidance and regular training to handle personal data responsibly and respect individuals' rights. This awareness across the organization helps prevent breaches and supports ongoing compliance efforts.

GDPR enforcement and penalties for violations

Each country in the European Economic Area (EEA) has a Data Protection Authority (DPA) that oversees how organizations follow data protection rules. These authorities can carry out investigations, request documentation, and even conduct inspections to ensure businesses meet their obligations.

If a company is found to be in breach of the GDPR, the penalties can be significant. The most serious violations can lead to fines of up to 20 million Euros or 4% of the company’s global annual turnover. On top of financial penalties, authorities may also impose corrective actions, such as ordering the company to stop processing certain data or to improve its data protection measures.

These enforcement powers ensure that GDPR compliance isn’t optional. Businesses that handle personal data must take their responsibilities seriously or face costly consequences.

Does the GDPR apply in the U.S.?

The GDPR is an EU regulation, but it doesn’t stop at Europe’s borders. U.S. businesses can fall under its scope if they handle personal data from individuals in the EU. This means that even without a physical presence in Europe, companies in the U.S. might still need to comply with the GDPR if their activities meet certain criteria.

GDPR compliance for U.S. companies

Under Article 3 of the GDPR, U.S. companies must comply if they either have an establishment in the EU or if they offer goods or services to individuals in the EU, even if the service is free. Monitoring the behavior of EU individuals online, such as through cookies, tracking, or targeted advertising, also brings a U.S. business within the GDPR’s scope.

To comply, U.S. businesses need to:

• Audit the types of personal data they collect.
• Establish a clear legal basis for processing each type of data, such as consent or contractual necessity.
• Assess any data transfers from the EU to the U.S., ensuring appropriate safeguards like Standard Contractual Clauses (SCCs) are in place.
• Appoint a GDPR representative within the EU if they don’t have a physical presence there.
• Obtain prior consent for website data collection and cookies.
• Update privacy policies to reflect GDPR obligations and data subject rights.

GDPR vs. CCPA and CPRA

While the GDPR requires clear consent before processing personal data, the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), take a different approach by following an opt-out model.

In California, businesses generally don’t need prior consent to collect or process personal information, except in specific cases such as selling or sharing data, handling data from minors, or processing sensitive information.

Instead, these laws focus on transparency, requiring businesses to notify users about data practices and provide easy ways to opt out of the sale or sharing of their personal data. Overall, the emphasis in California is on user control and visibility rather than advance consent.

For U.S. companies, this highlights an important distinction: GDPR’s strict consent requirements aren’t mirrored in the U.S., so businesses operating in both regions need to adapt their practices accordingly.

What is the role of cookies under the GDPR?

Under the GDPR, cookies that can identify an individual or track their behavior online are considered personal data. This includes techniques beyond traditional cookies, such as browser fingerprinting, which can uniquely identify users based on their device and browser settings.Websites must let users choose which types of cookies they accept, a concept known as granular consent. However, strictly necessary cookies don’t require consent.

While the GDPR defines how consent must be obtained, the use of cookies in the EU is also governed by the ePrivacy Directive, which complements the GDPR by specifically regulating online tracking technologies like cookies. This is why many websites display cookie banners to EU visitors, asking them to manage their preferences before any non-essential cookies are set.

If you're looking to minimize tracking while browsing, using a VPN can also help you browse more privately by masking your IP address and encrypting your traffic.

Common misconceptions about the GDPR

Despite being in place for years, there are still widespread misconceptions about what the GDPR really means for businesses. Let’s clear them up.

GDPR applies only to EU companies

It’s often assumed that the GDPR only affects businesses within the EU, but the regulation has a much wider reach. Any company based outside the EU, including in the U.S., must comply if it offers goods or services to people in the EU or monitors their behavior online, such as through tracking technologies.

Consent is always required

Another common misunderstanding is that GDPR always demands consent to process personal data. In reality, consent is just one of several lawful bases. Companies can also rely on a contract, a legal obligation, a vital interest, a public task, or a legitimate interest, provided that the rights of individuals are respected. Consent becomes essential when no other legal basis applies.

GDPR is just about fines

Many see GDPR purely as a system for imposing large fines, but its core purpose is to strengthen privacy rights and promote responsible data handling. While the penalties can be significant, the focus is on making sure that organizations handle personal data transparently, securely, and in line with people’s rights.

GDPR stops all marketing

There’s also the mistaken idea that GDPR makes marketing impossible. The regulation doesn’t block marketing altogether; rather, it sets boundaries to make sure personal data is used fairly. With an appropriate legal basis, whether consent or legitimate interest, businesses can continue marketing to individuals in the EU, as long as privacy rights are upheld.