The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that came into effect on May 25, 2018, across the European Union. It was designed to give individuals greater control over their personal data and to unify data protection laws across EU member states. The regulation applies to any organization — regardless of where it is based — that processes the personal data of EU residents. It replaced the outdated 1995 Data Protection Directive and introduced significantly stricter rules, heavier penalties for non-compliance (up to €20 million or 4% of global annual turnover), and a broader definition of what constitutes personal data.

The GDPR is built around seven core principles that govern how personal data must be handled. These are: lawfulness, fairness, and transparency (data must be processed legally and openly); purpose limitation (data collected for one purpose cannot be used for another unrelated purpose); data minimisation (only the minimum necessary data should be collected); accuracy (data must be kept up to date and correct); storage limitation (data should not be kept longer than necessary); integrity and confidentiality (data must be kept secure against unauthorized access or loss); and accountability (organizations must be able to demonstrate their compliance with all of the above principles).

In simple terms, GDPR is a set of rules that protects people’s personal information. If a company or organization collects data about you — such as your name, email address, location, or browsing habits — GDPR gives you the right to know what is being collected, why it’s being collected, and who it’s being shared with. It also gives you the right to access your data, correct it, or ask for it to be deleted. Organizations must have a valid reason for collecting your data, must keep it safe, and cannot hold onto it longer than necessary. If they break these rules, they can face very large fines.