The General Data Protection Regulation, commonly referred to as GDPR, is an EU regulation concerning data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

The GDPR grants and enhances the rights and controls of individuals over personal data processing and simplifies the international business regulatory environment. The regulation applies to any enterprise that processes personal data inside the EEA, regardless of where a business is located or the citizenship or place of residence of data subjects.

What is the GDPR in simple terms?

GDPR protects eight rights of data subjects. These include:

  • The right to be informed
  • The right of access to personal data
  • The right of rectification of incorrect or incomplete data, and of erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object and halt processing
  • Rights relate to automated decision-making and profiling

To protect these rights, GDPR sets data protection and accountability requirements for enterprises. It also details processes for the execution and enforcement of those requirements.

Data protection requirements are based on seven principles for data collection and processing:

  1. Processing must be lawful, fair, and transparent
  2. Data must be only for specifically stated, legitimate purposes
  3. Only the minimum data necessary may be collected
  4. Personal data must be kept accurate and up to date
  5. Data may only be stored as long as necessary
  6. Processing must ensure data security, integrity, and confidentiality
  7. Data controllers must be able to demonstrate GDPR compliance

The regulation explains the legal basis for data use. Data must be collected with the explicit, informed consent of individuals, meaning consent that is specific, freely given, plainly worded, and unambiguously affirmed. Data subjects must be free to withdraw consent, and doing so must be no harder than opting in.

The law details other protections, such as data protection standards, assignment of data protection officers, handling of data breaches, pseudonymization, and record-keeping. Punishment for violation may include sanctions, audits, and fines, of which there have been over 800 as of July 2021.

Read more on how GDPR impacts businesses that handle PII at TechnologyAdvice.

Impact of GDPR on companies

EU companies and international companies doing business in the EU had to invest heavily in IT infrastructure, staff (IT, legal, marketing, and data protection officers), software debugging, and procedural changes to become compliant with GDPR. Although the law primarily targets large, international tech firms, the costs of compliance may be prohibitive to smaller businesses and startups.

Many businesses outside the EU terminated EU business lines, EU user access, and behavioral advertising due to increased costs. Large, multinational corporations have been the targets of civil suits for breach of GDPR.

While the European Commission found that GDPR resulted in changes in consumer decision-making, the law has been criticized for inconsistent enforcement and lack of enforceability.

Lucas Ledbetter
Lucas Ledbetter
Lucas Ledbetter writes about technology in marketing, education, and healthcare and provides content strategy consultation for small businesses. In his spare time, he studies languages, dabbles in poetry, and tinkers with his Raspberry Pi. Follow him at

Related Articles

Best Governance, Risk, & Compliance (GRC) Software & Tools for 2022

Governance, risk, and compliance tools automate enterprise tasks such as ensuring regulatory compliance and mitigating technical and physical risks, including financial, human capital, security,...

Data Governance

Data governance is a term used to refer to the management of processes, roles, policies, standards, and metrics related to business data. Organizations rely...

What is Data?

Data refers to distinct pieces of information, usually formatted and stored in a way that is concordant with a specific purpose. What does data look...

Qualitative Data

Qualitative data is any set of data, including text, images, and video, that expresses the subjective and interpretive qualities of an item or process....

AutoIt Scripting Language

AutoIt is a popular and easy-to-learn scripting language used by developers since 1999...

HighLevel CRM

HighLevel is a sales and marketing customer relationship management (CRM) solution designed by...

Unified Endpoint Management (UEM)

As enterprise networks become increasingly distributed with growing numbers of remote workers, unified...