The General Data Protection Regulation: A Plain-English Guide

The General Data Protection Regulation (Regulation (EU) 2016/679) is the primary data protection law in the European Union. It establishes the legal framework for how organisations must collect, store, process, and transfer personal data belonging to individuals in the EU and European Economic Area (EEA).

GDPR gives individuals — "data subjects" in the regulation's terminology — a broad set of rights over their personal data, and imposes corresponding obligations on the organisations that process it. It replaced the 1995 Data Protection Directive and represented a significant expansion in both scope and enforcement.

The European Commission first proposed a comprehensive reform of EU data protection rules in 2012. Negotiations between the Parliament, Council, and Commission (the "trilogue") took four years, reflecting deep disagreement about the balance between privacy rights and economic interests.

GDPR was formally adopted on 27 April 2016 and published in the Official Journal of the EU on 4 May 2016. It entered into force on 25 May 2016, with a two-year transition period — making it enforceable from 25 May 2018.

The regulation was shaped by growing public concern about how tech companies handled personal data, a series of high-profile data breaches in the early 2010s, and the Snowden revelations of 2013, which highlighted the scale of government and corporate surveillance. The European Court of Justice's Schrems I ruling in 2015, which invalidated the Safe Harbour framework for EU-US data transfers, added further urgency to the reform.

GDPR applies to any organisation that processes the personal data of individuals in the EU or EEA — regardless of where the organisation itself is located. This extraterritorial scope (Article 3) was one of the most significant departures from the 1995 Directive.

In practice, if you operate a website that serves EU users, offer goods or services to EU residents, or monitor the behaviour of people in the EU, GDPR applies to you — whether your company is based in San Francisco, Singapore, or Stockholm.

The regulation distinguishes between two key roles: controllers, who determine the purposes and means of processing, and processors, who process data on behalf of controllers. Both carry legal obligations, but controllers bear primary responsibility for compliance.

GDPR is built on six data protection principles that apply to all processing of personal data:

• —Lawfulness, fairness, and transparency: Processing must have a valid legal basis. Individuals must be told how their data is used.
• —Purpose limitation: Data collected for one purpose may not be repurposed for an incompatible use.
• —Data minimisation: Only collect what is actually necessary for the stated purpose.
• —Accuracy: Personal data must be kept accurate and up to date.
• —Storage limitation: Data must not be kept longer than necessary. Retention periods must be defined.
• —Integrity and confidentiality: Appropriate security measures must be applied to protect personal data.

Article 5(2) adds a seventh principle: accountability. Controllers must not only comply with these principles but be able to demonstrate compliance. This is why documentation — ROPAs, LIAs, DPIAs, DPAs — is so central to a real GDPR programme.

GDPR grants data subjects eight enforceable rights. Organisations must respond to requests within 30 days (extendable to 90 in complex cases, with notification):

• —Right of access (Art. 15) — Receive a copy of all personal data held about you.
• —Right to rectification (Art. 16) — Have inaccurate or incomplete data corrected.
• —Right to erasure / "right to be forgotten" (Art. 17) — Request deletion of personal data.
• —Right to restriction (Art. 18) — Pause processing while a dispute is resolved.
• —Right to data portability (Art. 20) — Receive data in a machine-readable format.
• —Right to object (Art. 21) — Object to processing based on legitimate interests or for marketing.
• —Rights related to automated decision-making (Art. 22) — Challenge decisions made solely by automated means.

GDPR introduced a two-tier fine structure that was unprecedented in EU regulatory history:

• —Up to €10 million or 2% of global annual turnover (whichever is higher) — for less severe infringements, including failure to maintain records or notify breaches.
• —Up to €20 million or 4% of global annual turnover (whichever is higher) — for more severe infringements, including breaches of core principles, unlawful processing, or violation of data subject rights.

Enforcement is carried out by national Data Protection Authorities (DPAs). For organisations operating across multiple EU member states, the "lead supervisory authority" concept applies — the DPA of the member state where the organisation has its main establishment acts as the lead regulator.

Since enforcement began in May 2018, DPAs have issued over €4 billion in fines. The largest single penalty — €1.2 billion against Meta Ireland — was issued by the Irish DPA in May 2023.

Beyond individual rights, GDPR imposes several operational obligations on organisations:

• —Records of Processing Activities (ROPA, Art. 30): A documented inventory of all processing activities, including purpose, legal basis, data categories, retention periods, and sub-processors.
• —Data Processing Agreements (DPAs, Art. 28): Mandatory contracts with any third-party processor handling personal data on your behalf.
• —Data Protection Impact Assessments (DPIAs, Art. 35): Required before high-risk processing activities commence.
• —72-hour breach notification (Art. 33): Supervisory authorities must be notified of personal data breaches within 72 hours of becoming aware.
• —Privacy notices (Art. 13/14): Clear, accessible information provided to data subjects at the time of collection.
• —Data Protection Officer (Art. 37): Mandatory for public authorities, organisations processing special category data at scale, or those conducting large-scale systematic monitoring.