Jump to

General Data Protection Regulation (GDPR)

What is GDPR?

General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018, within the European Union (EU). It aims to provide individuals with greater control over their personal data and harmonize data protection laws across EU member states.

The General Data Protection Regulation supersedes Directive 95/46/EC, enhancing and unifying data protection laws across the European Union (EU). While Directive 95/46/EC established fundamental data protection principles, GDPR modernizes and unifies these regulations, providing stronger rights for individuals and stricter enforcement mechanisms. GDPR addresses contemporary digital challenges, ensuring a consistent, robust framework directly applicable across all EU member states, thereby resolving the inconsistencies and fragmentation caused by the directive's national implementations.

GDPR's Scope

The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means, as well as to non-automated processing of personal data that forms part of a filing system. It covers activities within the scope of Union law and includes exemptions for processing carried out in personal or household contexts, by Member States for certain activities, and by competent authorities for law enforcement purposes.

GDPR has a broad territorial scope, applying to entities within the EU that process personal data. Additionally to entities outside the EU that offer goods or services to, or monitor the behavior of, individuals within the EU. This ensures that the regulation protects the personal data of individuals within the EU, regardless of where the data processing entity is located.

Key Obligations under GDPR

Key obligations under General Data Protection Regulation includes, but are not limited to:

  • Establishing a lawful basis for processing.
  • Ensuring transparency and fairness in data processing.
  • Respecting and facilitating data subject rights.
  • Implementing appropriate data security measures.
  • Conducting Data Protection Impact Assessments (DPIAs).
  • Notifying authorities and individuals of data breaches.
  • Appointing a Data Protection Officer (DPO) when required.
  • Maintaining accountability and comprehensive record-keeping.
  • Ensuring adequate protection for international data transfers.
  • Managing and obtaining valid consent.
  • Informing data subjects about the processing of their personal data, as outlined in Article 14 of the GDPR.

Why GDPR is Important:

  • Enhanced Privacy Rights: GDPR provides EU citizens with greater control over their personal data. Including rights to access, correct, delete, and restrict processing of their data.
  • Harmonization of Data Protection Laws: By standardizing privacy laws across the EU, GDPR simplifies the regulatory environment for businesses.
  • Increased Trust: By ensuring strong data protection practices, GDPR helps build trust between businesses and consumers.
  • Severe Penalties for Non-Compliance: Organizations can face heavy fines up to 4% of annual global turnover or €20 million.


General Data Protection Regulation has profoundly impacted how data is handled across the globe, emphasizing privacy, security, and transparency. For businesses, GDPR compliance is essential to protect personal data and maintain trust with customers.