General Data Protection Regulation
What Is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a comprehensive legal framework enacted by the European Union to govern how personal data about individuals within the EU is collected, stored, processed, and transferred. It entered into force on 25 May 2018, replacing the earlier Data Protection Directive 95/46/EC, and established a single set of rules applying across all EU member states. Its geographic reach extends beyond Europe: any organization anywhere in the world that handles data belonging to EU residents must comply, making GDPR one of the most far-reaching privacy laws in operation.
GDPR draws its intellectual roots from data protection law, information ethics, and constitutional traditions that recognize privacy as a fundamental right. It is grounded in seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles frame every obligation the regulation imposes on organizations and every right it confers on individuals.
Data Controller and Processor Obligations
The regulation distinguishes between data controllers, who determine the purposes and means of processing personal data, and data processors, who act on behalf of controllers. Both roles carry defined responsibilities under the GDPR legal text, including implementing appropriate technical and organizational security measures proportionate to the risk of the processing activity. Controllers must maintain records of processing activities, appoint a Data Protection Officer in certain circumstances, and conduct Data Protection Impact Assessments before undertaking high-risk processing. When a personal data breach occurs, controllers are required to notify the relevant supervisory authority within 72 hours of becoming aware of it, and to inform affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.
Individual Rights
GDPR grants individuals a suite of enforceable rights over their personal data. These include the right to access a copy of data held about them, the right to have inaccurate data corrected, and the right to have data erased under certain conditions. Individuals may also object to processing for direct marketing purposes, request that processing be restricted while a dispute is resolved, and receive their data in a portable machine-readable format for transfer to another service provider. The European Commission's data protection framework describes these rights as instruments for returning meaningful control over personal information to the individuals to whom it belongs.
Ethics and Accountability
GDPR embeds ethical considerations directly into its compliance structure rather than treating them as external guidance. The accountability principle requires organizations to demonstrate compliance, not merely claim it. The regulation imposes restrictions on automated decision-making, including profiling, that produces legal or similarly significant effects on individuals, requiring human oversight in high-stakes situations. Transfers of personal data outside the EU are permitted only when the recipient country provides an adequate level of protection or when specific safeguards are in place, such as Standard Contractual Clauses reviewed by the European Data Protection Board. Fines for non-compliance can reach up to 20 million euros or 4 percent of global annual turnover, whichever is higher, with enforcement carried out by national supervisory authorities in each member state.
Applications
The General Data Protection Regulation has shaped practices across a wide range of sectors, including:
- Healthcare data management and patient record systems
- Financial services and credit scoring processes
- Digital advertising platforms and consent management
- Human resources and employee monitoring systems
- Cloud computing and data residency planning