What is GDPR?

Understand the key principles of the General Data Protection Regulation (GDPR) and how your company can comply.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

The General Data Protection Regulation, or GDPR, is legislation out of the European Union that helps consumers safeguard their personally identifiable information. 

Enacted in 2018, the GDPR includes several pillars to help protect consumers. Although these data privacy regulations are specifically for EU citizens, they apply to any business that interacts with consumers in the EU. For companies in the U.S. and other places around the world that do business in Europe, the GDPR is still important.

What does GDPR stand for?

GDPR stands for General Data Protection Regulation, which is legislation that protects the personal information of people in the European Union.

In this article
What is GDPR?
Who does GDPR apply to?
What are GDPR regulations?
What are my GDPR rights?
What happens if you violate European privacy laws?
Notable GDPR fines
How to comply with the General Data Protection Regulation
When did GDPR go into effect?
Bottom line

What is GDPR?

The GDPR is a comprehensive set of data privacy laws to help protect the personal information of citizens in the EU. The regulations apply to any company that does business in Europe.

The GDPR includes seven key pillars that companies must comply with to be compliant. Some of these standards include only requiring information needed for a specific purpose, being transparent in how the information will be used, and giving consumers the ability to remove consent.

What counts as personal data under GDPR?

Personal data is defined as any information related to a natural person that could identify that person. This could include names, addresses, payment information, IP addresses, biometric data, and more.

Who does GDPR apply to?

Even if your business isn’t based in a European country, the GDPR may still apply to you. The regulations protect consumers in the EU, so if you’re a company based in the U.S. with European customers, you must comply with GDPR standards.

The size of a company also does not matter with the GDPR. Companies of all sizes must comply.

What are GDPR regulations?

GDPR regulations are shaped around seven compliance principles that help protect consumers' personal data. GDPR requires that businesses protect consumer data throughout every interaction with consumers. 

Companies are required to protect data “by design and by default,” which means data protection principles are integrated throughout all processes. Essentially, how to protect your consumer’s data should be top of mind all the time.

The seven GDPR compliance principles outline how consumers should opt-in to data collection, how processing of personal data should occur, how that data should be used, and what should be done in case of a breach. Here are the principles and what they mean for companies looking to comply with GDPR.

7 GDPR compliance principles

The GDPR is based on seven principles to protect consumers' personal data. Those seven principles include:

  1. Lawfulness, fairness, and transparency: Consumers should understand what data they’re providing, how the company will use it, and how it is protected.
  2. Purpose limitation: Companies should only collect data that will be used for a specific purpose.
  3. Data minimization: Consumers should not need to provide more information than what is needed for a specific purpose.
  4. Accuracy: Data collected should be accurate and kept up to date.
  5. Storage limitation: Consumer data should only be kept for as long as needed.
  6. Integrity and confidentiality: Companies should work diligently to protect any data they collect.
  7. Accountability: Each company should have documentation on data protection practices.

Your website's privacy policy is one of the first steps in compliance with GDPR. A privacy policy must be clearly written, precise, and offered to consumers in a timely manner. The GDPR also warns companies of using language such as “may,” “might,” “some,” etc. because they may be too vague to meet compliance.

GDPR rules about processing personal data

One of the main tenets of GDPR is when and how personal data is processed. Not only does the GDPR hold companies to a higher standard when they’re collecting consumer data, it also requires that companies have a written agreement with any third party who may also have access to the collected data.

In Article 28 of the GDPR, it outlines the need for a data processing agreement:

“Processing by a processor shall be governed by a contract or other legal act under Union or Member State law that is binding on the processor about the controller and that sets out the subject matter and duration of the processing, the nature, and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

What is data processing, according to the GDPR?

The GDPR defines data processing as any act that can be accomplished using someone’s data, including storing data, using the data, monetizing the data, and more.

The GDPR and the UK's Data Protection Act both also include regulations around data profiling. For profiling used to make automated decisions with potential legal consequences for the consumer, such as approval of a loan, there must be a legal basis, it must be required to create an agreement, and the consumer must give explicit consent.

As for profiling used for marketing purposes, such as personalized ads, businesses must get permission from the consumer or there must be "justified interest."

Not only does the GDPR stipulate how third parties use consumer data, but it also requires the companies collecting the data only to gather the information necessary for the task at hand. If your contact form asks for more information than necessary, you may be out of compliance with GDPR.

GDPR rules about consent

The GDPR emphasized the need for companies to gain consent from consumers about using their data. The GDPR outlines a few key parts of consent that must be achieved to comply, including:

  • Consent must be freely given. To be in compliance, users must give you consent to use their data. This consent must be freely given, or in a sense, you can’t pressure them into opting in.
  • Consent must be specific. When requesting consent to use data, companies should be specific on what data is needed and how it will be used.
  • Consent must be informed. Consumers should easily understand who you are, why you need the data, and how the data will be used.
  • Consent must be unambiguous. Consent should be actively given. Users should check a box or opt in. It cannot be pre-checked for them.
  • Consent can be revoked. Users on your website must also be able to remove their consent at any point in time.

The GDPR includes consumers’ “right to be forgotten”

Also called the right of erasure, the GDPR’s right to be forgotten allows consumers to request that an organization erase their data. While this may seem simple, the GDPR includes guidance on when the right of erasure can be requested and how businesses can create a right to be forgotten form for their consumers.

Do you need a Data Protection Officer?

For some companies, a Data Protection Officer (DPO) assists with the upkeep of GDPR compliance and ensures that all data collected is done properly. The DPO helps implement GDPR best practices and trains employees on how to handle data properly and can be a member of the data controller or data processors team.

The GDPR outlines other priorities of a DPO, including:

  • “Training organization employees on GDPR compliance requirements
  • Conducting regular assessments and audits to ensure GDPR compliance
  • Serving as the point of contact between the company and the relevant supervisory authority
  • Maintaining records of all data processing activities conducted by the company
  • Responding to data subjects to inform them about how their personal data is being used and what measures the company has put in place to protect their data
  • Ensuring that data subjects’ requests to see copies of their personal data or to have their personal data erased are fulfilled or responded to, as necessary.”

What are my GDPR rights?

The GDPR gives consumers more information from companies about how their data is being used and protected. Here are some other ways the GDPR gives consumers greater rights in personal data protection:

  • Gives consumers the ability to opt-out at any time
  • Gives consumers the right to data portability, or the right to store data for their personal use or send it to another data controller
  • Gives consumers the chance to request data inaccuracies be corrected through the right to rectification
  • Requires companies to protect your data
  • Companies must have a specific purpose in using your data
  • Companies must notify you of data breaches in a specific amount of time

One of the greatest benefits of GDPR for consumers is that the regulations put a governing body in charge of protecting consumer data. Every country uses a Data Protection Authority (DPA) which investigates GDPR infractions and levies fines. By having DPAs, the GDPR ensures that strict consumer protections are enforced.

What happens if you violate European data privacy laws?

Violations of the GDPR can result in hefty fines. GDPR violations and the fines that coincide are split into two tiers based on the severity of the infraction. 

The lower tier can carry fines up to 10 million euros ($10.5 million) or 2% of revenue from the previous year, whichever is greater. For higher infractions, fines can be up to 20 million euros ($21 million) or 4% of revenue from the prior year.

Notable GDPR fines

GDPR fines can be substantial. In 2021, the largest GDPR fine was levied against Amazon Europe Core. The company was fined 746 million euros ($789 million) for non-compliance with general GDPR principles. You can track all the GDPR fines with the GDPR Enforcement Tracker.

In 2021, there were more than 8,700 fines for GDPR infractions.

How to comply with the General Data Protection Regulation

If you’re doing business with customers in Europe, you need to comply with GDPR and the seven compliance principles. To comply with GDPR, it may be helpful to look at GDPR compliance in three different sections: consumer interaction, employee training and security, and what to do if there is a breach.

Consumer interaction

You need to make sure that you are communicating with consumers about the data you’re collecting. Consumers must opt-in to share their data with you, and as a company, you must inform customers how their data will be used.

For instance, when opting in for a mailing list, consumers should be informed that their information will be used to send monthly newsletters with company news and updates.

One of the most noticeable changes after the GDPR was enacted is how companies use cookies. The GDPR considers cookies as part of one’s personal data, so cookie data must also be protected by GDPR standards. To help with GDPR compliance, you need a cookie policy.

Employee training and cybersecurity

Your employees play an integral role in your compliance with GDPR. You should work to train employees so they understand the GDPR principles, as well as how their jobs affect the company’s GDPR compliance. It is also important that any employee who has access to personal information from consumers understands how to keep that data secure and what to do if there may have been a breach.

To ensure data is secure, you can require that employees use two-factor authentication and that company data is encrypted.

What to do if there is a breach

To ensure you are compliant with GDPR, you must also be prepared for a data breach. Do you have someone in your company who is in charge of leading the efforts in case of a data breach? Do you have a plan in place on how to notify consumers, investors, and the government if there is a data breach?

In the case of a breach, the GDPR stipulates that:

  • The Data Protection Authority (DPA) is notified within 72 hours. (The DPA is a public authority that supervises and investigates data protection laws in the EU. A full list of each country’s DPA is available here.)
  • The company investigates the severity of the breach.
  • Notify anyone whose data was jeopardized “without delay.”

When did GDPR go into effect?

The General Data Protection Regulation was adopted by the European parliament in 2016 and replaced the existing Data Protection Directive (DPD) that was adopted in 1995. 

In 2018, the UK enacted its own version of the GDPR called the Data Protection Act, which is supervised and upheld by the Information Commissioner's Office (ICO).

However, the GDPR officially went into effect on May 25, 2018. The idea of personal data protection and legislating around it began in Europe in 2011. Over the next five years, the European Commission worked to create the tenets of the GDPR and work to get it approved.



What are the 7 principles of GDPR?

The seven principles of the GDPR include:

  1. Lawfulness, fairness, and transparency: Consumers should be able to understand what data they’re using, how they’re using it, and for what purpose.
  2. Purpose limitation: Data should only be collected and used for specific purposes.
  3. Data minimization: Companies should only collect the data necessary based on the purpose of the interaction.
  4. Accuracy: Data should be accurate and up-to-date.
  5. Storage limitation: Personal data should only be kept for as long as it is needed.
  6. Integrity and confidentiality: Companies should protect the data of their customers and only use it for the purposes defined.
  7. Accountability: You’re responsible for the data of your customers and should be able to prove your GDPR compliance.


How do you comply with GDPR?

To comply with the GDPR, businesses must follow the seven principles of the law. One of the most important pieces of compliance includes having written documentation of compliance.

To begin with compliance, audit the data you collect from consumers and ensure it aligns with the tenets of GDPR. Here are some things to make sure apply to your data:

  • Do you require consumers to opt-in for providing personal data?
  • Can consumers opt out from giving data at any time?
  • Do you identify what data will be used and how it will be used?
  • Are you using clear and easy-to-understand language?
  • Do you have all of your data security practices documented?
  • Are you collecting any unnecessary data?

One part of the GDPR also requires that you notify consumers of a data breach if one happens. Do you have a plan on how to identify any breaches, and how to notify anyone whose data was compromised?


Who does GDPR protect?

The GDPR protects citizens in the European Union. The regulations apply to any company that does business with people in Europe. The establishment of the GDPR in Europe also spurred other legislation across the world, including the California Consumer Privacy Act (CCPA).

Bottom line

Although complying with GDPR standards may seem daunting, if your company is vigilant in understanding GDPR and training employees on security principles, you can ensure compliance with ease.

Evaluating your company’s privacy policy and cookie policy is a good place to ‌make sure you are complying with GDPR. Understanding the GDPR and if your company is in compliance can help you avoid a large GDPR fine.

The GDPR revolutionized data security for consumers and put a burden on companies to make sure they are working to protect the data of their customers. Although the GDPR is law in Europe, the standards apply to any company that does business in the European Union. Along with the GDPR, other states and countries have also enacted their own data security legislation that should also be evaluated.

Unlimited Device Protection and Large Server Network
Editorial Rating
Learn More
On Surfshark's website
83% off + 3 months free
  • All-in-one VPN app with 24/7 protection thanks to 3,200+ RAM-only servers in over 100 countries
  • Real-time malware defense, webcam protection, alternative ID creation, ad blocking, and more
  • One subscription covers unlimited devices for your entire household with access to 24/7 support

Author Details
Andrew Strom Adams is a freelance writer focused on online privacy and digital security. He writes on various topics to help individuals protect themselves on the internet. Andrew has worked in legal marketing, technology, and startups. He has more than 12 years of experience in marketing and communications. He holds an M.B.A. from Westminster College and a B.A. in journalism from Oklahoma Baptist University. When he’s not writing, he’s playing with his two kids or watching reality TV.