General Data Protection Regulation (GDPR) Definition and Meaning

What Is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live and outside of the European Union (EU). Approved in 2016, the GDPR went into full effect two years later. Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information. The regulation applies regardless of where websites are based, which means it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents.

Key Takeaways

  • The General Data Protection Regulation is a law that sets guidelines for the collection and processing of personal information from individuals.
  • The law was approved in 2016 but didn't go into effect until May 2018.
  • The GDPR provides consumers with more control over how their personal data is handled and disseminated by companies.
  • Companies must inform consumers about what they do with consumer data and every time it is breached.
  • GDPR rules apply to any websites regardless of where they are based.

Understanding the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (or GDPR for short) is a law that was approved by the European Union in April 2016 and went into effect on May 25, 2018. It replaced an earlier law, the Data Protection Directive, and was set up to regulate the way companies process and use the personal data they collect from consumers online. It also has rules in the way that information is moved, whether that's partly or entirely through automated means.

The law makes it difficult for companies to mislead consumers with confusing or vague language when they visit their websites. It also ensures:

  • Website visitors are notified of the data collected.
  • Visitors explicitly consent to that information-gathering by clicking on a button or some other action.
  • Sites notify visitors in a timely way if any of their personal data held by the site is ever breached
  • There is a mandated assessment of the site's data security.
  • Whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function.

These requirements may be more stringent than those required in the jurisdiction in which the site is located.

Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also includes the ability to have their presence on the site erased, among other measures. The site must also add staff and other resources to be capable of carrying out such requests.

The requirement of an Agree button largely explains the ubiquitous presence of disclosures that sites collect cookies, which are small files that hold personal information such as site settings and preferences.

Special Considerations

As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous) or pseudonymized with the consumer's identity replaced with a pseudonym.

This allows firms to do more extensive data analysis, such as assessing the average debt ratios of their customers in a particular region—a calculation that might otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.

The regulation applies to all 27 members of the EU and the European Economic Area (EEA), regardless of where websites and residents are based. As such, it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents. So the regulation applies to the data of an EU citizen even if it is housed in the U.S. Similarly, a U.S. citizen who resides in the EU is covered whenever they visit sites based in the union.

The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the human resources records of employees.

Criticism of the GDPR

The GDPR has attracted criticism in some quarters. Some say that the requirement to appoint DPOs, or simply to assess the need for them imposes an undue administrative burden on certain companies. Some complain that the guidelines are too vague on how best to deal with employee data.

In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees the same degree of protection as the EU requires. This has led to complaints about costly disruption to business practices.

There's a further concern that the costs associated with GDPR will increase over time, in part because of the escalating need to educate customers and employees alike about data protection threats and solutions. There's also skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and interpretation of the regulations, and so assure a level playing field as the GDPR goes into fuller effect.

How Do Companies Become Compliant Under the General Data Protection Regulation?

There are several ways for companies to become GDPR-compliant. Some of the key steps include auditing personal data and keeping a record of all the data they collect and process. Companies should also be sure to update privacy notices to all website visitors and fix any errors they find in their databases.

Who Is Covered Under the General Data Protection Regulation?

In theory, any individual who visits sites that are based in the European Union is protected. This includes anyone within the union itself and beyond its borders. The regulation also applies to a citizen of the EU whose data exists outside the union. And if you're a citizen of another country who lives in the EU, your data is also protected under the law.

When Did the GDPR Come Into Effect?

The GDPR was approved in April 2016. But it took two years for the framework to be established. As such, the regulation went into full effect on May 25, 2018.

The Bottom Line

Businesses collect personal data and they have often sold that information—sometimes without the consent of their consumers. But laws have been put into place in parts of the world to help protect individuals. Rules under the General Data Protection Regulation went into effect in the European Union in 2018. Under the law, companies must protect consumer data and inform them how their information is used. It has a broad reach, extending beyond the borders of the EU.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. GDPR.eu. "Article 88 - Processing in the Context of Employment."

  2. GDPR.eu. "Recital 32 - Conditions For Consent."

  3. GDPR.eu. "Article 34 - Communication of a Personal Data Breach to the Data Subject."

  4. GDPR.eu. "Article 37 - Designation of the Data Protection Officer."

  5. GDPR.eu. "Article 38 - Position of the Data Protection Officer."

  6. GDPR.eu. "Article 6 - Lawfulness of Processing."

Take the Next Step to Invest
×
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.
Service
Name
Description