What Is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that came into effect in the European Union in May 2018. It governs how organizations collect, store, process, and share personal data belonging to people in the EU and European Economic Area (EEA). Even if a company is based outside Europe, GDPR applies if it processes data of EU residents.
GDPR has become a global benchmark for data privacy legislation, influencing laws in countries around the world.
What Counts as Personal Data?
Under GDPR, "personal data" is defined broadly. It includes any information that can directly or indirectly identify a person:
- Name, address, email address
- IP address and device identifiers
- Location data
- Biometric data (fingerprints, facial recognition)
- Health and medical records
- Browsing history and cookies (where linked to an individual)
Your Rights Under GDPR
GDPR grants individuals a set of enforceable rights over their personal data:
Right to Be Informed
Organizations must tell you what data they collect, why, and how long they keep it — typically through a privacy notice.
Right of Access
You can request a copy of all personal data a company holds about you. This is called a Subject Access Request (SAR), and the company generally has one month to respond.
Right to Rectification
If data about you is inaccurate or incomplete, you have the right to have it corrected.
Right to Erasure ("Right to Be Forgotten")
In certain circumstances, you can request that your data be deleted — for example, if you withdraw consent or the data is no longer necessary for the original purpose.
Right to Data Portability
You can ask for your data in a machine-readable format and transfer it to another service provider.
Right to Object
You can object to the processing of your data for purposes such as direct marketing. Organizations must stop unless they have compelling legitimate grounds to continue.
What Does GDPR Require of Companies?
| Requirement | What It Means in Practice |
|---|---|
| Lawful basis for processing | Must have consent, contract, legal obligation, or legitimate interest to use your data |
| Data minimization | Only collect data that is necessary for the stated purpose |
| Breach notification | Must notify regulators within 72 hours of discovering a data breach |
| Privacy by design | Build privacy protections into systems and products from the start |
| Consent requirements | Consent must be freely given, specific, and easy to withdraw |
GDPR vs. CCPA: A Quick Comparison
The California Consumer Privacy Act (CCPA) is the closest US equivalent to GDPR, though there are key differences. GDPR requires opt-in consent for data processing in many cases; CCPA generally uses an opt-out model. GDPR applies to nearly all organizations handling EU residents' data; CCPA applies to for-profit businesses meeting certain thresholds. Both laws give individuals the right to access and delete their data.
How to Exercise Your Rights
- Find the privacy policy or privacy rights page of the company in question.
- Submit a Subject Access Request or deletion request through their designated channel (email, web form, or in-app).
- The company must respond within one month (extendable to three in complex cases).
- If they fail to comply, you can lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or the relevant supervisory authority in your EU country).
Why It Matters Even Outside the EU
Even if you don't live in the EU, GDPR has raised the standard for how global companies handle data. Many organizations apply GDPR-level protections worldwide because managing separate standards is costly. Understanding GDPR helps you know what to demand from any company that handles your personal information.