What Is GDPR? 5 Things You Need to Know

What is GDPR? The General Data Protection Regulation is the European Union’s comprehensive data protection law, enforceable since May 25, 2018. It governs how organizations of any size, anywhere in the world, handle the personal data of individuals in the EU. The five things every business needs to understand about GDPR are its territorial reach (it applies to you even if you are not in Europe), the categories of personal data it covers, the rights it grants to individuals, the obligations it places on data controllers and processors, and the enforcement consequences for non-compliance. The fines alone (up to €20 million or 4% of global annual revenue, whichever is higher) make it worth understanding.

This post walks through each of the five practical facts a business operator needs to know. If you operate a website that any EU resident might visit, you have GDPR exposure; the only question is what you do about it. For broader privacy and security context, see our coverage in the security section.

1. GDPR applies to you even if your business is not in Europe

This is the misunderstanding most likely to get businesses in trouble. GDPR’s territorial scope is defined in Article 3 of the regulation, and it reaches well beyond EU-based organizations:

• Any organization that processes the personal data of individuals in the EU, regardless of where the organization is based.
• Any organization offering goods or services to individuals in the EU, whether paid or free.
• Any organization monitoring the behavior of individuals in the EU (cookies, analytics, behavioral tracking).

For a small business in the United States, the practical implication is: if EU residents can visit your website, sign up for your newsletter, or buy your products, GDPR applies. The size of your business does not matter. The location of your business does not matter. What matters is whose data you are processing.

The first thing to do is document who your data subjects are. If your customer base is genuinely 100% non-EU (you only sell into specific non-EU markets, you only have local customers), document that. If even a fraction of your customers, leads, or visitors are EU residents, you have GDPR exposure that needs management.

2. GDPR’s definition of "personal data" is broad

Many businesses underestimate what GDPR considers personal data. Article 4 defines it as "any information relating to an identified or identifiable natural person." The "identifiable" part is what makes the scope broad:

• Direct identifiers: name, email address, phone number, address, ID number.
• Online identifiers: IP address, cookies, device IDs, browser fingerprints.
• Indirect identifiers: anything that, combined with other data, can identify a specific individual. Job title plus employer can do it. ZIP code plus age plus gender can do it.
• Special categories of personal data (Article 9): racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, health data, sexual orientation. These require additional protections and explicit consent.

For most business websites, the regular data flow (analytics tracking, contact form submissions, newsletter signups, customer accounts) involves personal data under GDPR’s definition. Treating IP addresses, cookies, and device IDs as "anonymous" data is a common compliance error.

3. GDPR grants specific rights to individuals

GDPR establishes eight rights for individuals (data subjects) that businesses must respect:

• Right to be informed: individuals must be told what data you collect, why, how long you keep it, who you share it with, and what rights they have.
• Right of access: individuals can request a copy of all personal data you hold about them.
• Right to rectification: individuals can request correction of inaccurate data.
• Right to erasure (the “right to be forgotten”): individuals can request deletion of their data under specific circumstances.
• Right to restrict processing: individuals can request that you stop processing their data without deleting it.
• Right to data portability: individuals can request their data in a machine-readable format to take it elsewhere.
• Right to object: individuals can object to specific kinds of processing (especially direct marketing).
• Rights related to automated decision-making: individuals have protections against decisions made entirely by algorithms with significant effects on them.

Businesses must have processes in place to handle these requests within one month (extendable to three months for complex requests). The process needs to be documented, the staff need to know how to handle the requests, and the responses need to actually meet the requirement.

4. GDPR imposes specific obligations on data controllers and processors

GDPR distinguishes between two roles:

• Data controller: the entity that determines why and how personal data is processed. For your website, your business is the controller.
• Data processor: the entity that processes data on behalf of a controller. Your email marketing platform, hosting provider, CRM vendor, and analytics tools are processors.

As a data controller, you have obligations:

• Lawful basis for processing: every data processing activity needs a documented lawful basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests). “We need the data” is not a lawful basis.
• Privacy notices: a clear, accessible privacy policy that explains what you collect, why, how long you keep it, who you share it with, and what rights individuals have.
• Data Processing Agreements (DPAs): written agreements with every data processor (every SaaS vendor, hosting provider, marketing tool) defining the data handling terms.
• Security measures: appropriate technical and organizational measures to protect personal data (encryption, access controls, employee training, breach response).
• Breach notification: notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. Notify affected individuals “without undue delay” if the breach is high-risk.
• Data Protection Impact Assessment (DPIA): for high-risk processing activities, conduct a formal impact assessment before starting.
• Data Protection Officer (DPO): required for some organizations (public authorities, large-scale processing of special categories, large-scale monitoring).

The obligations are substantial. Small businesses with simple data flows can meet them through standard SaaS vendor relationships and a privacy-policy template; larger or more complex businesses need dedicated compliance attention.

5. GDPR enforcement is serious and the fines are real

The penalties for non-compliance are tiered:

• Up to €10 million or 2% of global annual revenue (whichever is higher) for less severe violations (failure to maintain records, failure to notify of a breach, etc.).
• Up to €20 million or 4% of global annual revenue (whichever is higher) for more severe violations (violations of consent, rights of data subjects, lawful basis for processing).

Beyond fines, supervisory authorities can issue corrective orders, prohibit processing, and require destruction of data. Individuals can also sue for damages, including non-material damages like distress.

In the first weeks since GDPR enforcement began in May 2018, supervisory authorities have already received complaints and begun investigations. Early major fines are expected through 2018 and 2019. The pattern signals that GDPR is not a paper regulation; the EU is taking enforcement seriously.

For a small or mid-sized business outside the EU, the realistic risk is not the maximum fine (those are reserved for the largest non-compliant operators) but the cost of remediation when a complaint or audit lands. Building basic compliance now is much cheaper than retrofitting compliance under regulatory pressure later. For broader security architecture context, see our piece on Zero Trust security, which complements the GDPR control-framework discussion.

Update (2026-05-12): the GDPR landscape since this post first published.

The five things in the body of this post still describe GDPR accurately. What has changed since 2018 is the enforcement track record, the related regulations, and the global landscape:

• Major enforcement actions have accumulated. Notable fines include Meta (€1.2 billion in 2023 for unlawful data transfers), Amazon (€746 million in 2021), Google (multiple fines totaling hundreds of millions), and many smaller fines across sectors. GDPR enforcement is no longer theoretical.
• Schrems II (July 2020) invalidated the EU-US Privacy Shield, complicating transatlantic data transfers. The EU-US Data Privacy Framework replaced it in July 2023, but cross-border transfer compliance remains complex.
• ePrivacy Regulation has been in legislative limbo since 2017; it would update the rules for cookies and electronic communications. As of 2026 it has not been adopted; the existing ePrivacy Directive (2002, amended 2009) still governs.
• Adjacent regulations: California’s CCPA/CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and other state laws have emerged. Brazil’s LGPD, Canada’s PIPEDA updates, and other national privacy frameworks have proliferated. The GDPR-aligned compliance pattern increasingly serves as the global default.
• AI and GDPR interaction: the EU AI Act (effective phases through 2025-2027) adds new obligations for AI systems processing personal data. The intersection with GDPR is being worked out in regulatory guidance.
• Cookie consent enforcement has tightened. The "consent or pay" debates of 2023-2024 have produced more specific guidance from supervisory authorities.
• Data breach notification practices have matured; the 72-hour notification window has been tested in many real incidents.

The five things in this post remain the right framework for a business operator first encountering GDPR. The specific enforcement context and the broader privacy regulation landscape have continued to evolve.

Frequently Asked Questions