The General Data Protection Regulation — Regulation (EU) 2016/679 — entered into force in May 2018. It replaced a 1995 EU Data Protection Directive that each member state had implemented in different ways. The GDPR's key innovation was that it's a regulation, not a directive: it applies directly and identically across the EU, no national transposition required.
For US practitioners, the GDPR matters because of its extraterritorial scope. If your company processes the personal data of people who are physically in the EU — even if your servers are in Indiana, your customers signed up in Spanish, and you've never set foot in Europe — the regulation can reach you. That extraterritoriality reshaped privacy law globally: California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, Brazil's LGPD, and others are all visibly descended from GDPR's structure.
Who's covered
GDPR Article 3 sets two grounds for application:
- Establishment in the Union. Any organization with an "establishment" in the EU — an office, a subsidiary, a stable arrangement — is covered for data processed in the context of that establishment's activities.
- Targeting people in the Union. Even with no EU establishment, you're covered if you (a) offer goods or services to people in the EU (paid or free), or (b) monitor the behavior of people in the EU. A Northgate startup with English-only marketing and dollar pricing might escape (b); one that offers euro pricing, ships to France, or uses analytics tools that tag EU visitors does not.
The regulation defines personal data broadly: any information relating to an identified or identifiable natural person ("data subject"). Identifiability includes online identifiers — cookies, device IDs, IP addresses can all be personal data when they let you single someone out. Special categories of personal data (sometimes called sensitive) get extra protection: data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data, sex life or sexual orientation.
Controllers and processors
GDPR distinguishes two roles, and the obligations differ. Knowing which you are for a given processing activity matters a lot.
- Controller: determines the purposes and means of processing. A retailer collecting orders is the controller of its customer data.
- Processor: processes personal data on behalf of a controller, under the controller's instructions. The retailer's hosting provider, payment processor, email marketing tool, and CRM are processors.
- Joint controllers: where two organizations together determine purposes and means.
- Processors have direct GDPR obligations (security, breach notice to the controller, sub-processor management) but the controller is the primary accountable party. A Data Processing Agreement (DPA) — the GDPR's analog to a HIPAA BAA — must be in place between every controller and processor.
Lawful bases for processing
You can't process personal data just because you want to. Every processing activity needs one of six lawful bases (Article 6), and you must be able to point at it:
- Consent — freely given, specific, informed, unambiguous, and revocable. Consent collected by pre-ticked boxes or as a condition of unrelated service is not valid consent. This is the most-discussed basis but often the worst choice operationally.
- Contract — processing necessary to perform a contract with the data subject, or take pre-contractual steps at their request.
- Legal obligation — necessary to comply with a legal obligation the controller is subject to.
- Vital interests — necessary to protect someone's life. Rarely the basis for routine processing.
- Public task — necessary for a task in the public interest or in the exercise of official authority. Government, public services.
- Legitimate interests — necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject's rights. Requires documented "legitimate interests assessment" (LIA) balancing necessity against subject rights.
Special category data needs a stronger basis (Article 9): explicit consent, employment law obligations, vital interests when the subject can't consent, public interest in the area of public health, and a few others. You can't process biometric or health data on legitimate interests alone.
Data subject rights
The GDPR grants data subjects eight enumerated rights. Organizations must respond to a Data Subject Access Request (DSAR) within one month (extendable to three for complex cases), free of charge for the first request. Building DSAR-handling capability is a substantial operational lift for most US companies that have never had to.
Right of access
The subject can request what personal data you hold about them, why you're processing it, who you've shared it with, and how long you'll keep it. Includes a free copy.
Right to rectification
Correct inaccurate data. Complete incomplete data.
Right to erasure ("right to be forgotten")
Delete personal data in specific circumstances — when no longer needed, when consent is withdrawn, when processed unlawfully, etc. Not absolute.
Right to restriction of processing
Pause processing while accuracy is contested or an objection is being evaluated.
Right to data portability
Receive personal data in a structured, commonly used, machine-readable format. Transmit to another controller.
Right to object
Object to processing based on legitimate interests or public task. Absolute right to object to direct marketing.
Rights re: automated decisions
The right not to be subject to solely automated decisions (including profiling) that produce legal or similarly significant effects. The "AI rights" provision.
Right to withdraw consent
Where processing is based on consent, withdrawal must be as easy as giving consent.
Practical security obligations
Article 32 governs security. Unlike PCI-DSS, the GDPR doesn't prescribe specific controls — it requires "appropriate technical and organizational measures" considering state of the art, cost, scope, and risk. Encouraged measures explicitly include:
- Pseudonymization and encryption of personal data
- Ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore availability and access to personal data after incident
- Regular testing, assessing, and evaluating of the effectiveness of technical and organizational measures
The 72-hour breach notice
Article 33 requires the controller to notify the supervisory authority (the lead Data Protection Authority) of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in risk to data subjects' rights and freedoms. The notification must include the nature of the breach, categories and approximate number of subjects affected, likely consequences, and the measures taken or proposed.
If the breach is likely to result in a "high risk" to data subjects, Article 34 requires notification to affected subjects directly, without undue delay. Encryption that renders data unintelligible is one way to avoid this individual-notification obligation.
Data Protection Impact Assessments
Article 35 requires a DPIA for any processing likely to result in high risk to data subjects' rights. Examples include systematic monitoring of a publicly accessible area on a large scale, large-scale processing of special category data, and systematic profiling. The DPIA documents the processing, evaluates necessity and proportionality, assesses risks, and identifies mitigations. Doing the DPIA before launching the processing is the point — retroactive DPIAs are common but don't satisfy the regulation's intent.
Data Protection Officer
Article 37 requires designating a Data Protection Officer (DPO) when (a) processing is by a public authority, (b) core activities require regular and systematic monitoring of data subjects on a large scale, or (c) core activities involve large-scale processing of special category or criminal data. The DPO must report directly to the highest level of management, can't be told what conclusion to reach, and can't be dismissed for performing their duties.
Enforcement and penalties
Enforcement is handled by each EU member state's Data Protection Authority (DPA). For cross-border cases, a "one-stop shop" mechanism designates a lead DPA based on the controller's main establishment. The DPAs cooperate and can refer disputed cases to the European Data Protection Board.
Administrative fines are tiered:
| Tier | Maximum | Violations |
|---|---|---|
| Lower | €10M or 2% of global annual turnover, whichever is higher | Processor obligations, controller-processor agreements, records of processing, security, breach notification to DPA, DPIA, DPO designation |
| Higher | €20M or 4% of global annual turnover, whichever is higher | Basic principles for processing, conditions for consent, data subject rights, transfers to third countries, noncompliance with DPA orders |
"Global annual turnover" is the language that gives the GDPR teeth. The largest fines as of 2024:
- Meta — €1.2 billion (May 2023) for unlawful transfers of EU personal data to the US following the Schrems II ruling.
- Amazon — €746 million (July 2021) for ad-targeting consent practices, fined by Luxembourg's CNPD.
- Instagram — €405 million (September 2022) for processing children's account contact info publicly.
- TikTok — €345 million (September 2023) for processing children's data including making accounts public by default.
- Meta (separately) — €390 million (January 2023) for legal basis for processing personal data for behavioral advertising.
Cross-border data transfers
A foundational GDPR principle: personal data can only leave the EU if the receiving country provides an "adequate level of protection," or specific safeguards are in place. The mechanisms:
- Adequacy decisions by the European Commission designate specific countries as providing adequate protection. The US has gone through Safe Harbor (2000, invalidated 2015 in Schrems I), Privacy Shield (2016, invalidated 2020 in Schrems II), and the current EU-US Data Privacy Framework (2023). Each US-EU transfer regime has been challenged; the current one is too.
- Standard Contractual Clauses (SCCs): Commission-approved boilerplate contracts that controllers and processors execute. The 2021 SCCs are the current version. Often paired with a Transfer Impact Assessment.
- Binding Corporate Rules (BCRs): codes of conduct for multinational groups transferring data within the corporate family. Approved by DPAs; long process.
- Derogations: explicit consent, contract necessity, important public interest, etc. Narrow and case-specific.
GDPR is a rights-based framework, not a controls-based one. It tells you what data subjects are entitled to and how you must justify processing — the technical implementation is yours to design as long as it can withstand a regulator asking "show me why this processing is lawful, necessary, and proportionate."
For US practitioners building modern web applications, the operational footprint is real: cookie consent that actually works, lawful-basis documentation per processing activity, DPAs with every vendor, a DSAR response process, a 72-hour breach response capability, and transfer mechanisms for any data leaving the EU. None of this is impossible; all of it is unfamiliar to teams that have only built for the US market. And the global turnover-based fines mean the regulator's leverage scales with you — a problem that's cheap to fix early gets expensive fast.
Sources
- European Parliament and Council. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union, L 119/1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
- European Data Protection Board. (2024). Guidelines and recommendations. https://edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en
- Court of Justice of the European Union. (2020). Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (Schrems II), Case C-311/18.
- European Commission. (2023). Adequacy decision for the EU-US Data Privacy Framework. C(2023) 4745 final.
- ICO (UK). (2024). Guide to the UK GDPR. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
- Enforcement Tracker. (2024). GDPR Enforcement Tracker. https://www.enforcementtracker.com/