Safekipedia

General Data Protection Regulation

Adapted from Wikipedia · Discoverer experience

A speaker presenting about GDPR compliance during a workshop at the 2019 Global Entrepreneurship Summit.

The General Data Protection Regulation (GDPR) is a set of rules made by the European Union regulation to protect people's private information. It helps people control what happens to their personal details, like their name, address, or online activity. The GDPR started on 25 May 2018 and applies to all countries in the European Union and the European Economic Area.

This regulation makes it easier for people to know who is using their information and how it is being used. It also gives people the right to ask for their data to be removed or corrected. Businesses that collect personal data must follow these rules, which helps keep people's information safe.

Because of the GDPR, many other countries have created similar laws to protect people’s privacy. Even after the United Kingdom left the European Union, they made their own version called the "UK GDPR" that is almost the same. This shows how important and influential these privacy rules have become around the world.

Contents

The GDPR (General Data Protection Regulation) has eleven parts that cover important ideas about protecting personal information. These parts talk about basic rules, rights people have over their information, jobs that need to follow these rules, moving information between countries, and more.

General provisions

The rules apply if a company or person who handles information is in the European Union (EU). They also apply to companies outside the EU if they handle information about people in the EU. The rules help make sure people’s information is protected and used properly.

Principles and lawful purposes

There are six main rules for handling personal information correctly. These rules make sure information is used fairly, for the right reasons, and in a way that people can understand. Companies need to have a good reason to use someone’s information, like getting permission or doing a job that helps the public.

Rights of the data subject

CCTV sign in Luxembourg with notification of data collection

People have the right to know what information is stored about them and how it is used. They can also ask to see their information, correct it, or even ask for it to be removed in some cases. Companies must make it easy for people to exercise these rights.

Controller and processor

Companies that collect and handle personal information must tell people what information they are collecting and why. They must also protect the information and tell people if there is ever a problem with the information. Some companies must have a special person, called a data protection officer, to help make sure they follow these rules.

GDPR Certification

There are special labels that companies can get to show they are following the GDPR rules. These labels help make sure companies are protecting people’s information properly.

Remedies, liability and penalties

If companies do not follow the GDPR rules, they can face big fines. These fines can be up to €20 million or 4% of the company’s yearly income, whichever is larger. This helps make sure companies take these rules seriously and protect people’s information.

Exemptions

Some situations are not covered by the GDPR, meaning they have special rules. These include personal or household activities, law enforcement, and national security.

For an entity or "enterprise" to fall under the GDPR, it must be involved in "economic activity." This idea of economic activity is defined broadly under European Union competition law.

Applicability outside of the European Union

The General Data Protection Regulation (GDPR) also applies to companies and organizations outside the European Economic Area if they offer goods or services to people in the EEA, or if they track the behavior of people in the EEA. This means that even if a company is not based in Europe, it must follow these rules when dealing with people in Europe.

Non-EU companies must have a representative in the European Union to help with following the GDPR rules. This representative acts as a contact point for questions about privacy and data protection. There are some exceptions, such as for occasional small-scale data handling, where a representative is not needed. The GDPR also places rules on sharing personal data with countries outside the EEA, requiring certain safeguards to protect that data.

Misconceptions

Many people have misunderstandings about the GDPR. One common idea is that you always need someone's permission to use their personal information. However, there are other ways to legally use data without permission if it fits certain rules.

Another misunderstanding is that people can always ask to have all their data removed. While people can stop receiving marketing messages, companies can still keep some information if they have a good reason and if it's needed for the purpose it was collected. Also, even if names are removed and replaced with numbers, the data can still count as personal information if it can be linked back to a person in another way. Finally, GDPR doesn't apply to everyone worldwide who handles data from EU citizens. It mainly affects companies outside the EU only when they are providing services or tracking the behavior of people living in the EU.

Reception

Many companies believe they can follow the rules set by the GDPR over time. Even companies outside of Europe have worked hard to meet these rules, especially when it comes to recording calls. Just saying "okay to record" isn't enough—companies need to stop recording if someone says they don't want to be recorded anymore.

Experts think following GDPR will cost money. Most IT workers think companies will need to spend at least US$100,000. Some worry that smaller businesses, like new startups, might struggle more than big tech companies like Facebook and Google. There has also been confusion about what the rules mean exactly.

Some people think GDPR is good because it helps companies manage data better. Mark Zuckerberg said it’s a positive step for the Internet. Groups that protect consumers also support it. Some experts, like Richard Stallman, like parts of it but think there could be more protections.

Impact

Many companies and websites changed how they handled private information when the GDPR started. They sent many emails about these changes, which annoyed people. Some of these emails were not correct, and a few were even designed to trick people.

Research shows that about 25% of software problems can affect private information. Experts suggest that companies should find and fix these problems before they cause trouble.

Some websites stopped allowing people from EU countries to visit, or they gave a simpler version of their service. A few companies even stopped working because they thought the GDPR made it too hard.

In 2020, two years after the GDPR started, many people in the EU knew more about their rights to their private information. Privacy became something that people care about when they choose which companies to use.

Enforcement and inconsistency

Main article: GDPR fines and notices

Some big companies like Facebook, WhatsApp, Instagram, and Google faced legal actions soon after the GDPR started. They were accused of not giving people enough choice about how their information is used.

A GDPR compliance workshop at the 2019 Global Entrepreneurship Summit

In 2019, Google was fined a lot of money by France for not being clear enough about how they used people’s information for ads. British Airways was also fined for not keeping information safe.

Different countries in the EU have handled the GDPR in different ways, which has made it hard to enforce the rules evenly. Some smaller countries have had trouble keeping up with investigating big companies.

In 2024 and 2025, more actions were taken. TikTok was fined a lot of money for not protecting children’s information well enough. Meta was fined even more for moving information between the EU and the US without permission.

Influence on foreign laws

The GDPR has influenced laws in other countries. For example, California in the United States passed a law similar to the GDPR in 2018. Other U.S. states like Virginia and Colorado have also made similar laws.

Turkey, which wants to join the EU, made a law to protect private information in 2016. China made a similar law in 2021. Switzerland is also planning a new law based on the GDPR.

Website views and revenue

A study in 2024 found that the GDPR caused a drop in how many times people visited websites and how much money websites made in the EU.

Timeline

The GDPR started with a proposal on 25 January 2012. Over the next few years, different groups worked together to agree on the rules. By 24 May 2016, it officially became a law. Two years later, on 25 May 2018, the rules started being used in all European Union countries. Soon after, on 20 July 2018, three more countries — Iceland, Liechtenstein, and Norway — also agreed to follow these rules.

EU Digital Single Market

The EU Digital Single Market is a plan to help businesses and people in the EU use digital tools better. Important rules like the GDPR and the NIS Directive started on 25 May 2018 to protect personal information and make sure digital services are safe. There was also a plan called the ePrivacy Regulation that was supposed to start at the same time, but it will take a few more months. The eIDAS Regulation is another part of this plan to make digital services work well.

The European Council thinks the GDPR is very important for making new digital rules in the future.

Related articles

European Union
United Kingdom
Internet
WhatsApp
California
Virginia

This article is a child-friendly adaptation of the Wikipedia article on General Data Protection Regulation, available under CC BY-SA 4.0.

Images from Wikimedia Commons. Tap any image to view credits and license.