What Is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union in 2018. It governs how organizations collect, store, process, and share personal data of individuals in the EU and European Economic Area. GDPR applies regardless of where the organization is based — if you process EU personal data, GDPR likely applies to you.

The Seven Principles

GDPR is built on seven principles that guide all data processing: lawfulness, fairness, and transparency — process data legally and openly; purpose limitation — collect data for specified, legitimate purposes; data minimization — collect only what is necessary; accuracy — keep data accurate and up to date; storage limitation — retain data only as long as needed; integrity and confidentiality — ensure appropriate security; and accountability — demonstrate compliance.

Who GDPR Applies To

GDPR applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is located. A US SaaS company with EU customers must comply. GDPR distinguishes between controllers (who determine the purposes and means of processing) and processors (who process data on behalf of controllers). Both have obligations.

What Is Personal Data

Personal data is any information relating to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, location data, and any data that could directly or indirectly identify someone.

Enforcement and Penalties

GDPR enforcement is handled by national supervisory authorities in each EU member state. Penalties can reach 20 million euros or 4% of global annual revenue, whichever is higher. Enforcement has been active — significant fines have been issued to companies of all sizes.

In the next lesson, we will cover data subject rights.