The General Data Protection Regulation, commonly referred to as GDPR, is an EU regulation concerning data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

The GDPR grants and enhances the rights and controls of individuals over personal data processing and simplifies the international business regulatory environment. The regulation applies to any enterprise that processes personal data inside the EEA, regardless of where a business is located or the citizenship or place of residence of data subjects.

What is the GDPR in simple terms?

GDPR protects eight rights of data subjects. These include:

  • The right to be informed
  • The right of access to personal data
  • The right of rectification of incorrect or incomplete data, and of erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object and halt processing
  • Rights relate to automated decision-making and profiling

To protect these rights, GDPR sets data protection and accountability requirements for enterprises. It also details processes for the execution and enforcement of those requirements.

Data protection requirements are based on seven principles for data collection and processing:

  1. Processing must be lawful, fair, and transparent
  2. Data must be only for specifically stated, legitimate purposes
  3. Only the minimum data necessary may be collected
  4. Personal data must be kept accurate and up to date
  5. Data may only be stored as long as necessary
  6. Processing must ensure data security, integrity, and confidentiality
  7. Data controllers must be able to demonstrate GDPR compliance

The regulation explains the legal basis for data use. Data must be collected with the explicit, informed consent of individuals, meaning consent that is specific, freely given, plainly worded, and unambiguously affirmed. Data subjects must be free to withdraw consent, and doing so must be no harder than opting in.

The law details other protections, such as data protection standards, assignment of data protection officers, handling of data breaches, pseudonymization, and record-keeping. Punishment for violation may include sanctions, audits, and fines, of which there have been over 800 as of July 2021.

Read more on how GDPR impacts businesses that handle PII at TechnologyAdvice.

Impact of GDPR on companies

EU companies and international companies doing business in the EU had to invest heavily in IT infrastructure, staff (IT, legal, marketing, and data protection officers), software debugging, and procedural changes to become compliant with GDPR. Although the law primarily targets large, international tech firms, the costs of compliance may be prohibitive to smaller businesses and startups.

Many businesses outside the EU terminated EU business lines, EU user access, and behavioral advertising due to increased costs. Large, multinational corporations have been the targets of civil suits for breach of GDPR.

While the European Commission found that GDPR resulted in changes in consumer decision-making, the law has been criticized for inconsistent enforcement and lack of enforceability.

Lucas Ledbetter
Lucas Ledbetter writes about technology in marketing, education, and healthcare and provides content strategy consultation for small businesses. In his spare time, he studies languages, dabbles in poetry, and tinkers with his Raspberry Pi. Follow him at

Top Articles

The Complete List of 1559 Common Text Abbreviations & Acronyms

From A3 to ZZZ we list 1,559 SMS, online chat, and text abbreviations to help you translate and understand today's texting lingo. Includes Top...

List of Windows Operating System Versions & History [In Order]

The Windows operating system (Windows OS) refers to a family of operating systems developed by Microsoft Corporation. We look at the history of Windows...

How to Create a Website Shortcut on Your Desktop

Website Shortcut on Your Desktop reviewed by Web Webster   This Webopedia guide will show you how to create a website shortcut on your desktop using...

Generations of Computers (1st to 5th)

Reviewed by Web Webster Learn about each of the 5 generations of computers and major technology developments that have led to the computing devices that...

Iterative Process

An iterative process is a sequence of procedures that facilitates the creation of...


A vendor is an individual or organization that sells goods or services to...


Dropshipping is an e-commerce business model where organizations take online customer...