close
6 Pages
Back to Glossary
General Data Protection Regulation
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is the EU's privacy regime that took effect May 2018. The principles-based regime requires that data controllers inform users about how data will be collected, analyzed, and for what purpose; use data only for the purposes communicated; limit data only to what is needed for the purpose; ensure data is current and accurate; store data only for as long as needed for the purpose; take security measures in data processing and storage; and demonstrate compliance with GDPR rules. Where data processing is based on consent, GDPR requires that consent be “freely given, specific, informed and unambiguous.” The GDPR also allows data subjects to access and request deletion of their information, among other rights. The regime applies to all EU companies, all companies engaged in the processing of EU personal data, and organizations dealing with EU companies (including foreign companies). Noncompliance with GDPR’s principles can carry sizable penalties – up to €20M or 4% of the company’s global annual turnover.
Related Briefs
Aug 27 2021
3 Shifts Edition (Aug 27 2021): China’s sweeping data protection law, Automakers shift to online car-buying, The new “encryption-as-a-service”
Feb 4 2022
3 Shifts Edition (Feb 4 2022): The regulatory problem with EU-US data flows, The evolution of platform content moderation, Avatars in the metaverse
Aug 21 2020
3 Shifts Edition (Aug 21 2020): Amazon’s product liability, Impact of the WeChat ban, Oracle & Salesforce face GDPR suit
Dec 30 2019
Brief #18: The CA privacy law effective Jan 1 will set the tone for US regulation
Feb 9 2021
Brief #42: Encrypted-messaging apps everywhere – Privacy vs. monetization
Jun 24 2020
Brief #35: Publishers & retail brands adapt to the coming death of 3rd-party cookies