What Is the GDPR?

Nathan Rizzuti Profile image

Written by:

Updated January 16, 2023

One of the most significant concerns among modern internet users is consumer privacy. As more has come to light about how organizations fail to uphold users’ right to privacy, governing bodies have passed laws to limit the amount of data infractions. One of the most significant pieces of legislation is the European Union’s General Data Protection Regulation (GDPR). If you’re curious about these laws, read on as we ask (and answer) the question: What is the GDPR?


  • The GDPR is a set of comprehensive data protection laws passed by the European Union, providing internet users with rights concerning their personal information and data profiles.
  • The GDPR clearly defines what is considered personal information, who the data subjects are, and the various types of data collection/processing institutions.
  • A total of eight individual rights outlined in the GDPR provide users greater access and control over the data profiles collected by organizations.

If you’re a US resident and want to learn more about consumer privacy laws in your area, check out our resources comparing the CCPA vs the GDPR. We have a great explanation of what the CCPA is, how it affects businesses, and the right it provides certain internet users.

Insider Tip

To ensure your organization is in full compliance with the laws of the GDPR, download a compliance checklist. These checklists can be found online.

Easy GDPR Basics

The GDPR is a set of laws passed by the European Union in 2016. The document created and established important definitions around the following subjects:

  • What is a data subject?
  • What is a data collector?
  • What is a data protection officer?
  • What rights do data subjects have?
  • What is personal data?
  • How must data-collecting organizations set up their practices to stay in line with the rights under the GDPR?

Many data experts consider the GDPR to have set the strictest security standards of any data law ever passed. However, its first and most critical function is to set clear definitions around the various players and objects involved.

By making these definitions, the laws seek to grant data subjects more control and set up a formal system of behavior and rules for organizations to protect and responsibly handle collected data.

Important Definitions Under the GDPR

Before anything else, the GDPR defined what’s considered sensitive/personal. Under the GDPR, Personal data is the most highly protected class of data and is defined as follows:

Personal Data — Information that relates or can be connected to an individual’s identity. Some of the categories that fall under personal information include:

  • Name
  • Email Address
  • Location/Geographic Information
  • Ethnicity
  • Sexual Orientation
  • Religious Beliefs
  • Medical/Bio Information

The articles of the GDPR explain in further detail the definition of personal information and a sub-categorization of “sensitive personal information.”

Additionally, the GDPR draws clear lines around the various players affecting the data landscape.

  • Data Subject: Any internet user or web page visitor having their data collected and processed.
  • Data Controllers: Members of an organization in charge of determining how data is collected and what that data is.
  • Data Processors: Organizations (often third parties) that handle data on behalf of organizations.

Overall, the GDPR is divided into 99 articles, each referencing different rights, restrictions, and obligations provided for the above figures. In total, the document is 88 pages long and explains everything from how organizations must store, protect, and notify users about what types of data are being collected and their purpose.

Rights of the GDPR

Only after establishing the proper definitions law-makers were we able to connect the relationship between the various actors to build protection principles around online identity.


Hiding any evidence of security breaches can result in massive fines. Likewise, failure to provide breach notifications can permanently damage a business’s reputation.

In total, the GDPR outlines eight rights:

  1. The Right to Be Informed
  2. The Right to Access
  3. The Right to Rectification
  4. The Right to be Forgotten
  5. The Right to Data Portability
  6. The Right to Restrict Processing
  7. The Right to Withdraw
  8. The Right to Object (The Right to Object to Automated Processing)

If you want a more in-depth look at what each of these rights means, we have a great article explaining the rights of the GDPR.

STAT: Over 90% of American companies are not yet compliant with GDPR regulations. (source)

What Is the GDPR FAQs

How much are the fines for failure to comply with the GDPR?

Fines for violating the rules of the GDPR range depending on the infraction’s severity and the organization’s size. However, some of the most significant fines recorded have been up to 20 Million Euros or 4% of a company’s total annual revenue.

Does the GDPR apply to organizations based outside of the EU?

Any organization that handles/processes the data of citizens within the EU is subject to facing penalties for not complying with the GDPR.

How does the GDPR affect marketing?

The GDPR requires data collectors to allow users to opt-out of having their data harvested. It also limits the types of data marketing departments can collect.
Nathan Rizzuti Profile image