TL;DR
GDPR (General Data Protection Regulation) is EU law governing personal data protection. It applies to any organization handling EU residents' data, regardless of location. Key requirements include consent for data collection, data minimization, breach notification within 72 hours, and user rights like deletion and portability. Non-compliance can result in fines up to 4% of global revenue.
The Simple Explanation
GDPR gives EU residents control over their personal data. If you collect their names, emails, IP addresses, or any identifying information, you must follow the rules. Get consent, only collect what you need, keep it secure, and let users access, correct, or delete their data when asked.
Key GDPR Principles
- Lawfulness: Have a legal basis for processing data
- Purpose limitation: Only use data for stated purposes
- Data minimization: Collect only what you need
- Accuracy: Keep data correct and up to date
- Storage limitation: Delete data when no longer needed
- Security: Protect data appropriately
- Accountability: Demonstrate compliance
User Rights
| Right | What It Means |
|---|---|
| Access | Users can request a copy of their data |
| Rectification | Users can correct inaccurate data |
| Erasure | Users can request deletion (right to be forgotten) |
| Portability | Users can receive data in machine-readable format |
| Object | Users can object to certain processing |
Compliance Requirements
Privacy Policy: Clear explanation of data practices Consent: Explicit opt-in for non-essential processing Cookie Banner: Consent before non-essential cookies Data Processing Agreements: Contracts with vendors Breach Notification: Report to authorities within 72 hours Data Protection Officer: Required for some organizations Privacy Impact Assessments: For high-risk processing
Consent must be freely given. You cannot bundle consent with terms of service for unrelated processing. Users must be able to refuse non-essential data collection without losing access to the service.
Does GDPR apply to my company outside the EU?
Yes, if you process personal data of EU residents. GDPR applies based on whose data you handle, not where you are located. If EU residents use your service or you market to them, GDPR applies regardless of your company's location.
What are the penalties for GDPR violations?
Fines up to 20 million euros or 4% of annual global revenue, whichever is higher. Lower-tier violations can result in fines up to 10 million euros or 2% of revenue. Regulators consider factors like severity, duration, and cooperation when determining penalties.
What rights do users have under GDPR?
Users have the right to access their data, correct inaccuracies, request deletion (right to be forgotten), restrict processing, receive their data in portable format, and object to certain processing. You must be able to fulfill these requests within 30 days.