The General Data Protection Regulation, commonly referred to as GDPR, is an EU regulation concerning data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
The GDPR grants and enhances the rights and controls of individuals over personal data processing and simplifies the international business regulatory environment. The regulation applies to any enterprise that processes personal data inside the EEA, regardless of where a business is located or the citizenship or place of residence of data subjects.
GDPR protects eight rights of data subjects. These include:
To protect these rights, GDPR sets data protection and accountability requirements for enterprises. It also details processes for the execution and enforcement of those requirements.
Data protection requirements are based on seven principles for data collection and processing:
The regulation explains the legal basis for data use. Data must be collected with the explicit, informed consent of individuals, meaning consent that is specific, freely given, plainly worded, and unambiguously affirmed. Data subjects must be free to withdraw consent, and doing so must be no harder than opting in.
The law details other protections, such as data protection standards, assignment of data protection officers, handling of data breaches, pseudonymization, and record-keeping. Punishment for violation may include sanctions, audits, and fines, of which there have been over 800 as of July 2021.
Read more on how GDPR impacts businesses that handle PII at TechnologyAdvice.
EU companies and international companies doing business in the EU had to invest heavily in IT infrastructure, staff (IT, legal, marketing, and data protection officers), software debugging, and procedural changes to become compliant with GDPR. Although the law primarily targets large, international tech firms, the costs of compliance may be prohibitive to smaller businesses and startups.
Many businesses outside the EU terminated EU business lines, EU user access, and behavioral advertising due to increased costs. Large, multinational corporations have been the targets of civil suits for breach of GDPR.
While the European Commission found that GDPR resulted in changes in consumer decision-making, the law has been criticized for inconsistent enforcement and lack of enforceability.