The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law that sets strict requirements for how organizations collect, use, store, and protect personal data. Understanding GDPR basics—key definitions, principles, individual rights, and lawful processing bases—is essential for anyone handling personal information in business contexts.
The General Data Protection Regulation came into effect in May 2018, replacing the 1995 Data Protection Directive. GDPR harmonizes data protection law across all EU member states and gives individuals stronger rights over their personal data. It applies not only to organizations established in the EU, but also to those offering goods or services to EU residents or monitoring their behavior.
Personal data under GDPR is any information relating to an identified or identifiable individual. This includes obvious identifiers like names and email addresses, but also IP addresses, location data, online identifiers, and anything that could be combined with other information to identify someone. Special category data—including health information, racial or ethnic origin, political opinions, religious beliefs, and sexual orientation—receives extra protection and generally requires explicit consent to process.
GDPR distinguishes between data controllers (who determine why and how data is processed) and data processors (who process data on behalf of controllers). Understanding your role is crucial because it determines your obligations. Controllers bear primary responsibility for compliance, while processors must implement appropriate security measures and assist controllers with individual rights requests. Most organizations act as controllers for some processing and processors for other activities.
GDPR compliance begins with identifying a lawful basis for processing. You must choose from six options: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Consent must be freely given, specific, informed, and unambiguous—pre-ticked boxes and silence don't count. The contract basis applies when processing is necessary to fulfill a contract with the individual. Legal obligation covers processing required by law, while vital interests protect someone's life. Public task applies mainly to public authorities, and legitimate interests requires balancing your needs against the individual's rights.
Once you've established a lawful basis, you must follow GDPR's six principles. This means processing data lawfully, fairly, and transparently; collecting it only for specified purposes; minimizing what you collect to what's necessary; keeping it accurate; deleting it when no longer needed; and securing it appropriately. The accountability principle requires you to demonstrate compliance through documentation like records of processing activities, privacy notices, and data protection impact assessments for high-risk processing.
Individuals have eight key rights: to be informed (through privacy notices), to access their data, to rectify inaccuracies, to erase data in certain circumstances, to restrict processing, to data portability, to object to processing, and rights regarding automated decision-making. You must respond to rights requests within one month, usually free of charge. Data breaches that risk individuals' rights must be reported to supervisory authorities within 72 hours, and individuals must be notified directly if the breach poses high risk.
Learning GDPR effectively requires understanding both the concepts and their practical application. Start by mastering key definitions—personal data, controller, processor, processing, consent, legitimate interests—because these terms form the foundation of every requirement. Many compliance mistakes stem from misunderstanding basic terminology, particularly the difference between controllers and processors or the scope of personal data.
Next, focus on the six data protection principles as your framework for all processing decisions. When evaluating any data handling activity, ask: Do we have a lawful basis? Are we being transparent? Is this data necessary? How long should we keep it? Is it adequately secured? Can we demonstrate compliance? These questions translate principles into practical decision-making. Similarly, memorize the individual rights and the one-month response timeframe, since rights requests are common and time-sensitive.
Use these flashcards to build active recall of GDPR requirements. The goal isn't just to recognize concepts when reading about them, but to retrieve and apply them when making decisions or answering questions. Practice explaining concepts in simple language—if you can teach it clearly, you understand it. Connect new knowledge to real scenarios from your workplace: Which lawful basis do we use for customer newsletters? How would we handle a data breach? What would a DPIA look like for this project? This practical application cements theoretical knowledge into working understanding you can use every day.
Yes, GDPR applies to organizations of all sizes if they process EU residents' personal data. While some exemptions exist for companies under 250 employees (like maintaining records of processing activities), most core obligations apply regardless of size. If you have a website accessible to EU visitors, email customers, or maintain employee records, you likely need to comply with GDPR.
Consent requires an individual to actively agree to processing through a clear affirmative action. It must be freely given with a genuine choice. Legitimate interests doesn't require individual agreement—you assess that your need for processing is balanced against the individual's rights and interests. Legitimate interests is often more appropriate than consent for business purposes like fraud prevention or direct business relationships.
You must appoint a DPO if you're a public authority, if your core activities involve regular and systematic monitoring of individuals on a large scale, or if your core activities involve large-scale processing of special category data. Many private companies don't meet these thresholds, though they may choose to appoint a DPO or privacy officer voluntarily.
The right to erasure (right to be forgotten) allows individuals to request deletion in specific circumstances, such as when data is no longer necessary, when they withdraw consent, or when processing is unlawful. However, you can refuse if you have a legal obligation to retain data, need it for legal claims, or have other legitimate grounds. If you mistakenly delete data you were legally required to keep, this could itself be a compliance issue, highlighting the importance of retention schedules and deletion procedures.