What Is GDPR?

Key takeaways

The GDPR, or General Data Protection Regulation, is a European legal framework for collecting and using personal data.

• The GDPR applies to businesses around the world that collect data from consumers in the European Union (EU).

• Fines for violating the GDPR are extremely high, amounting to 4 percent of annual turnover, or up to 20 million euros [1].

• You can earn or enhance customer trust by adhering to GDPR standards for data protection.

Discover what the GDPR law is, how it governs the collection and use of data in Europe and the rest of the world, and understand some benefits and limitations of complying with this framework. When you’re ready, learn how to safeguard sensitive information on the cloud, enroll in the Google Cloud Cybersecurity Professional Certificate. This beginner-friendly program also offers guidance on developing and implementing risk management and compliance strategies.

What is GDPR?

The GDPR is a European legal framework outlining rules for collecting and using personal data. The law came into effect in 2018 after approval in 2016, and a highly strict security law that applies globally. Its entrance obliged many companies to rewrite data protection policies and privacy procedures. 

What is the purpose of GDPR?

The GDPR is a data security law in place to protect European consumer data by ensuring that organizations handling this information follow strict rules around its storage and usage. Data breaches are common with the rise in data collecting and storage via the cloud. Europe’s general data protection legislation puts consumers in control of their data and how companies use it. Any companies that violate the GDPR are subject to heavy fines.

What are the 7 GDPR principles?

The GDPR established a standardized approach to protecting consumer data and aims to stop companies and public entities from using it unlawfully. It gives people in the EU the right to know what information businesses and organizations store; additionally, it allows them to have a say in how companies process that information. The GDPR outlines seven principles that companies must adhere to when storing and using data.

1. Lawfulness, fairness, and transparency: As a company or organization collecting data, you must disclose what you will use it for and have consumer consent to do so.

2. Purpose limitation: You must use any data you collect from consumers for the stated purpose, which must be clearly outlined. If your organization wants to use an individual’s data for a new purpose other than that stated, you must contact them again for consent.

3. Data minimization: Companies must only collect data needed to fulfill their purpose. For example, you do not need to collect a phone number to subscribe a customer to an email list, so you should not ask for this.

4. Accuracy: Stored data must be accurate and audited regularly. Consumers have the right to change any data that is not accurate. 

5. Storage limitation: Companies must justify how long they keep consumer data, which must be relevant to the need. You might detail this in a storage limitation policy.

6. Integrity and confidentiality: Companies and organizations storing consumer data must ensure that it is safe from any threat, security breach, or damage. You must outline this in a policy and maintain it as an essential business practice.

7. Accountability: Records, policies, measures, and evidence must be in place to prove that a company or organization is adhering to the GDPR. Supervisory authorities can ask for this at any time.

Does GDPR affect businesses in the US?

While the GDPR is a European data protection law, it affects businesses worldwide that collect data from consumers in the EU. Given the nature of online business, most companies outside of Europe have some European customers or track website visitors who may be from Europe using data, and so must comply with the GDPR. 

Fines for violating GDPR

Fines for violating the GDPR are extremely high, showing the importance the EU places on keeping data safe and using it ethically. For severe breaches of the GDPR, fines may total up to 4 percent of annual turnover or up to 20 million euros, whichever is higher [1]. For less extreme violations, fines can still be as high as 2 percent of global annual turnover [1].

To highlight the severity of GDPR fines, in early 2023, Meta Platforms Ireland received a fine of 1.2 billion euros for unlawfully transferring data to the US [2]. 

Benefits of GDPR

The GDPR has many benefits for the public and organizations that collect data, as it clearly outlines expectations and adds a layer of protection in a world where data security is a real threat. Let’s explore these benefits in more detail.

Protects rights

The GDPR protects consumers’ rights since businesses must follow strict guidelines around gathering and processing data. Consumers have the right to access their personal data and know how companies use it.

Improves reputation

Showing that your business works in line with the GDPR and takes it seriously builds trust with consumers and site visitors and enhances your reputation as an organization that recognizes the importance of data protection. 

Provides security for businesses and consumers

The GDPR ensures that proper security is in place to protect data; otherwise, heavy fines may apply. This plays into cybersecurity procedures that ensure data is not accessed illegally. 

Read more: What Is Cybersecurity? Definition + Industry Guide

Gives more control to the consumer

Companies collecting data can be a worry for consumers. The GDPR puts the consumer in control by ensuring companies clearly outline the data they collect and state exactly how they will use it. Consumers can opt in or decide not to allow your company to use their data. 

Protects people outside the EU too

The GDPR safeguards citizens who are living in any country in the EU. It also governs businesses outside the EU that may deal with consumer data from the EU. 

What is the difference between GDPR and CCPA?

The California Consumer Privacy Act (CCPA), while limited in scope, ensures data transparency for California residents. In contrast, the GDPR governs data privacy across the EU. While the CCPA enables consumers to opt out of data processing, the GDPR grants individuals the right to object to data processing.

Limitations of GDPR

The GDPR has brought many benefits for protecting data and ensuring tight security; however, it has limitations, especially for small businesses. Let’s take a look below. 

Workload for SMEs

GDPR compliance involves a great number of policies and procedures, often at a big expense, leaving many small and medium-sized enterprises (SMEs) finding it difficult to comply. Data security methods such as encryption can be confusing, especially for small businesses without technical expertise. 

Hefty fines

Failing to comply with the GDPR can mean substantial fines that may run into millions of euros. This is a concern for any business, but for a small business, it is enough for many to have to cease trading.

Strengthen your data skills with our free resources 

Subscribe to Career Chat on LinkedIn to keep track of popular skills, tools, and certifications. Prepare for a career in data science or engineering with our other free digital resources:

• Read our Career Chat issue: What Data Privacy Really Means (And How It Affects You)

• Watch on YouTube: Career Spotlight: Data Engineer

• Structure your learning: Data Science Learning Roadmap: Beginner to Expert

Accelerate your career growth with a Coursera Plus subscription. When you enroll in either the monthly or annual option, you’ll get access to over 10,000 courses.

Build job-ready skills with Coursera Plus

Start 7-day free trial

• 
• 
• 
• 

Start 7-day free trial