What is GDPR? Definition, Requirements & Key Principles

Why GDPR Matters

The GDPR, effective since May 25, 2018, is the world's most influential data protection regulation. It applies to any organization that processes personal data of individuals in the European Economic Area (EEA) — regardless of where the organization is headquartered. A company in New York serving European customers must comply just as a company in Berlin does.

GDPR has set the global standard for privacy regulation. Laws like Brazil's LGPD, California's CPRA, and Saudi Arabia's PDPL were modeled on its framework.

The 7 GDPR Principles

Every data processing activity must comply with these principles (Article 5):

Lawfulness, fairness, and transparency — Process data legally and tell people what you're doing with their data.
Purpose limitation — Collect data for specified, explicit purposes only.
Data minimization — Only collect what you actually need.
Accuracy — Keep personal data accurate and up to date.
Storage limitation — Don't keep data longer than necessary.
Integrity and confidentiality — Protect data with appropriate security measures.
Accountability — Demonstrate compliance through documentation and processes.

Who Must Comply

GDPR applies to organizations that:

Are established in the EU/EEA, regardless of where processing takes place
Offer goods or services to individuals in the EU/EEA
Monitor the behavior of individuals in the EU/EEA (e.g., tracking, profiling)

This includes businesses of all sizes — from solo freelancers to multinational corporations.

Key Rights for Individuals

GDPR grants data subjects (individuals) specific rights:

Right of access — Know what data is held about them
Right to rectification — Correct inaccurate data
Right to erasure — Request deletion of their data
Right to data portability — Receive their data in a usable format
Right to object — Object to processing based on legitimate interest
Right to restrict processing — Limit how data is used

Fines and Enforcement

GDPR penalties are among the strictest in the world:

Up to €20 million or 4% of global annual turnover for the most serious violations (whichever is higher)
Up to €10 million or 2% of turnover for less severe infringements
Supervisory authorities across the EU have issued over €4 billion in fines since 2018

Major fines have been issued to companies like Meta (€1.2B), Amazon (€746M), and WhatsApp (€225M).

Key Regulation

Full name: Regulation (EU) 2016/679
Effective: May 25, 2018
Enforced by: National Data Protection Authorities (e.g., AZOP in Croatia, CNIL in France, ICO in the UK)
Scope: All EU/EEA member states, plus organizations worldwide that process EU data

GDPR (General Data Protection Regulation)

Why GDPR Matters

The 7 GDPR Principles

Who Must Comply

Key Rights for Individuals

Fines and Enforcement

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

Compliance Glossary: Key Terms and Definitions 2026

7 GDPR Mistakes That Could Cost Your Company Millions in 2025

Want more than the definition?

GDPR (General Data Protection Regulation)

Why GDPR Matters

The 7 GDPR Principles

Who Must Comply

Key Rights for Individuals

Fines and Enforcement

Key Regulation

GDPR vs UK GDPR: Key Differences, Transfer Mechanisms, and Practical Implications in 2026

Compliance Glossary: Key Terms and Definitions 2026

7 GDPR Mistakes That Could Cost Your Company Millions in 2025

Want more than the definition?