The General Data Protection Regulation, commonly referred to as GDPR, is an EU regulation concerning data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

The GDPR grants and enhances the rights and controls of individuals over personal data processing and simplifies the international business regulatory environment. The regulation applies to any enterprise that processes personal data inside the EEA, regardless of where a business is located or the citizenship or place of residence of data subjects.

What is the GDPR in simple terms?

GDPR protects eight rights of data subjects. These include:

  • The right to be informed
  • The right of access to personal data
  • The right of rectification of incorrect or incomplete data, and of erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object and halt processing
  • Rights relate to automated decision-making and profiling

To protect these rights, GDPR sets data protection and accountability requirements for enterprises. It also details processes for the execution and enforcement of those requirements.

Data protection requirements are based on seven principles for data collection and processing:

  1. Processing must be lawful, fair, and transparent
  2. Data must be only for specifically stated, legitimate purposes
  3. Only the minimum data necessary may be collected
  4. Personal data must be kept accurate and up to date
  5. Data may only be stored as long as necessary
  6. Processing must ensure data security, integrity, and confidentiality
  7. Data controllers must be able to demonstrate GDPR compliance

The regulation explains the legal basis for data use. Data must be collected with the explicit, informed consent of individuals, meaning consent that is specific, freely given, plainly worded, and unambiguously affirmed. Data subjects must be free to withdraw consent, and doing so must be no harder than opting in.

The law details other protections, such as data protection standards, assignment of data protection officers, handling of data breaches, pseudonymization, and record-keeping. Punishment for violation may include sanctions, audits, and fines, of which there have been over 800 as of July 2021.

Read more on how GDPR impacts businesses that handle PII at TechnologyAdvice.

Impact of GDPR on companies

EU companies and international companies doing business in the EU had to invest heavily in IT infrastructure, staff (IT, legal, marketing, and data protection officers), software debugging, and procedural changes to become compliant with GDPR. Although the law primarily targets large, international tech firms, the costs of compliance may be prohibitive to smaller businesses and startups.

Many businesses outside the EU terminated EU business lines, EU user access, and behavioral advertising due to increased costs. Large, multinational corporations have been the targets of civil suits for breach of GDPR.

While the European Commission found that GDPR resulted in changes in consumer decision-making, the law has been criticized for inconsistent enforcement and lack of enforceability.

Lucas Ledbetter
Lucas Ledbetter
Lucas Ledbetter writes about technology in marketing, education, and healthcare and provides content strategy consultation for small businesses. In his spare time, he studies languages, dabbles in poetry, and tinkers with his Raspberry Pi. Follow him at
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter
Subscribe to Daily Tech Insider for top news, trends & analysis
This email address is invalid.

Related Articles

Data Annotation

Data annotation involves processing a set of raw data for text, images, sounds, and videos to be used in AI and ML projects. What is...

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) is an electronic authentication process that provides extra layers of security to an application or service against various cyber attacks. Also...


RSA SecurID is multi-factor authentication (MFA) technology used to protect network resources, such as applications and websites. Its purpose is to mitigate risk and...


What is compliance? Compliance or regulatory compliance is a term used across industries to describe rules and policies that prohibit or regulate specific products, services,...


ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...


Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...