The General Data Protection Regulation (GDPR) is the European Union's flagship data protection law, in force since 25 May 2018. It replaced the ageing 1995 Data Protection Directive (95/46/EC) with a single, directly applicable regulation that harmonises data protection rules across all EU and EEA member states. If your organisation collects, stores, or otherwise processes the personal data of individuals in the EU, the GDPR almost certainly applies to you.
Why the GDPR Was Created
The 1995 Directive served the EU well for over two decades, but it was drafted before smartphones, cloud computing, social media, and the modern data economy existed. Each member state transposed the Directive into its own national law, creating a patchwork of 28 different regimes that made cross-border compliance expensive and inconsistent.
The GDPR was designed to solve three problems at once:
- Modernisation — bring the rules in line with how data is actually collected and used today.
- Harmonisation — create a single set of rules that apply uniformly across the EU, reducing legal fragmentation.
- Empowerment — strengthen the rights of individuals and give supervisory authorities real enforcement power.
Because the GDPR is a regulation (not a directive), it applies directly in every member state without the need for separate national legislation, although member states retain limited room for local derogations.
Territorial Scope (Article 3)
One of the most significant features of the GDPR is its extraterritorial reach. It applies in two main situations:
The Establishment Criterion
The GDPR applies to the processing of personal data in the context of the activities of an establishment in the EU or EEA — regardless of whether the processing itself takes place within the Union. An "establishment" can be a subsidiary, a branch, or even a single employee based in Europe.
The Targeting Criterion
Even without any EU establishment, the GDPR applies to organisations outside the EU if they:
- Offer goods or services to individuals in the EU (whether paid or free). Simply having a website accessible from Europe is not enough — there must be evidence of intent to target the EU market (e.g. using an EU language other than English, accepting euros, mentioning EU delivery).
- Monitor the behaviour of individuals in the EU, for example through web tracking, profiling, or cookie-based advertising directed at EU users.
In practical terms, the GDPR can apply to a company based anywhere in the world — San Francisco, Singapore, or Sydney — if it handles the data of people located in the EU.
Material Scope
The GDPR covers any wholly or partly automated processing of personal data, as well as non-automated processing of personal data that forms part of a filing system. There are a few narrow exemptions:
- Processing by individuals for purely personal or household activities (e.g. a private address book).
- Processing by competent authorities for law enforcement purposes (covered by the separate Law Enforcement Directive).
- Processing in the course of activities outside the scope of EU law (e.g. national security).
For the vast majority of organisations, if you hold personal data in any electronic system — a CRM, an email list, an HR database — the GDPR applies.
Key Definitions
Understanding the GDPR starts with its core terminology, defined in Article 4.
Personal Data
Any information relating to an identified or identifiable natural person (the "data subject"). This includes obvious identifiers like names and email addresses, but also IP addresses, cookie identifiers, location data, and even pseudonymised data if re-identification is possible. The threshold is deliberately broad.
Special Category Data
Article 9 defines a set of data types that receive heightened protection because misuse poses a greater risk of harm. These include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data and biometric data (when used for identification)
- Health data
- Data concerning sex life or sexual orientation
Processing special category data is prohibited unless one of the specific conditions in Article 9(2) is met, such as explicit consent or substantial public interest.
Processing
Almost anything you do with personal data counts as processing: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction. If you touch the data, you are processing it.
Controller
The natural or legal person (or public authority) that determines the purposes and means of processing. The controller is the decision-maker — the organisation that decides why and how data is processed. Controllers bear the primary compliance burden under the GDPR.
Processor
A natural or legal person that processes personal data on behalf of the controller. Common examples include cloud hosting providers, payroll bureaux, and email marketing platforms. Processors must act only on the controller's documented instructions and are subject to their own set of obligations (Article 28).
Data Subject
The identified or identifiable individual whose personal data is being processed. In most business contexts, data subjects are customers, employees, website visitors, or job applicants.
Who Does the GDPR Apply To?
The short answer: almost every organisation that handles the personal data of individuals in the EU, regardless of size, sector, or geography. This includes:
- EU-based companies of any size (the GDPR does not have a small-business exemption for its core obligations).
- Non-EU companies that sell to or monitor EU residents.
- Both controllers and processors (the 1995 Directive placed obligations mainly on controllers; the GDPR extends responsibilities to processors as well).
- Public authorities and private entities alike.
Certain record-keeping obligations under Article 30 are relaxed for organisations with fewer than 250 employees, but only where processing is occasional and low-risk — a narrow exception in practice.
Penalties
The GDPR introduced a two-tier administrative fine framework that gave the regulation its teeth:
Upper Tier (Article 83(5))
Up to EUR 20 million or 4% of the undertaking's total worldwide annual turnover of the preceding financial year, whichever is higher. This tier applies to infringements of the core data processing principles, lawful basis requirements, data subject rights, and international transfer rules.
Lower Tier (Article 83(4))
Up to EUR 10 million or 2% of global annual turnover. This tier covers breaches of obligations relating to controllers and processors, certification bodies, and monitoring bodies.
Beyond Fines
Financial penalties are only part of the picture. Supervisory authorities can also:
- Issue warnings and reprimands.
- Order compliance measures or processing bans.
- Require communication of a breach to data subjects.
- Suspend data flows to third countries.
Data subjects also have the right to seek compensation for material and non-material damage (Article 82), and representative actions by consumer groups are increasingly common.
Since enforcement began, supervisory authorities across Europe have issued billions of euros in fines, with major penalties against technology companies, airlines, telecommunications providers, and public-sector bodies. The message is clear: the GDPR is not a paper tiger.
Summary
The GDPR is a comprehensive, extraterritorial data protection regulation that applies to virtually any organisation processing the personal data of people in the EU. It establishes clear definitions, strong individual rights, and significant penalties for non-compliance. Understanding its scope and terminology is the essential first step towards building a compliant data protection programme.