Skip to main content

What is GDPR?

eu gdpr graphic
(Image credit: Getty)

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation, which outlines the rights EU citizens have regarding their personal data and the steps that companies must take when storing and processing that data. 

If you’re building a new company website that will accumulate EU citizens’ personal data, it’s important to choose a website builder (opens in new tab) that helps you meet your GDPR obligations.

What does GDPR do?

  • Sets a uniform data security law for all EU members and companies that market goods or services to EU residents. These EU citizens are also known as the data subjects.
  • Gives data subjects more control over the personal data that companies keep on them, including the right to transfer or erase personal data.
  • Requires companies to implement a reasonable level of data protection to keep data subjects’ personal data safe from loss or exposure.
  • Forces companies to notify supervising authorities and data subjects when a data breach of personal data has occurred.
  • Requires that some companies appoint data protection officers, specifically companies that process sensitive data such as health, race, religion, and genetic data.
  • Levies stiff penalties on companies that do not comply with GDPR.

How departments must consider GDPR

People discussing a plan in an office setting

All departments must consider how they are collecting, storing, and processing customers’ personal data (Image credit: Dylan Gillis on Unsplash)


Arguably the department most affected by GDPR is IT. The IT department must perform a data audit that will show the types of information the company uses and who has access to it. The use of this information must be legally justifiable, and IT departments should take steps to make sure companies are compliant.

A big part of GDPR compliance is securing data. All personal data stored should be anonymized and encrypted wherever possible. The protection of personal data throughout the company must be considered and an internal security policy implemented. A process must be built for the notification of data breaches to supervising authorities and data subjects.

Systems must be put in place to allow data subjects to request and receive the personal data you store on them. Users should be able to quickly and easily update inaccurate data held about them, and companies must be able to transfer or delete their data at their request.


HR staff will also need to understand the limits GDPR puts on data collected from data subjects who are company employees. Personal information can only be stored on staff with their explicit consent, and they have the right to withdraw that consent at any time. 

Data can only be stored and used for a specific, intended purpose, and it can’t be saved indefinitely without permission. It should be stored in an encrypted format whenever possible, and any data breaches must be notified to anyone affected within 72 hours.

The GDPR does not permit routine Disclosure and Barring Service (DBS) checks, better known as criminal background checks, on all employees. However, note that it doesn’t bar the use of DBS checks in specific cases, just the blanket, unwarranted use of them across all employees.


Marketing departments must be aware of three key areas of the GDPR—data permission, data access, and data focus. 

The data permission rules state that promotional material can only be sent to people who have expressly consented to receive it. Marketing can’t automatically opt someone in to a newsletter when they sign up on a website. The visitor must explicitly choose to sign up, by ticking a checkbox, for instance.

The GDPR includes provisions for the right to be forgotten. This means offering people a way to remove their details from company systems or unsubscribe from marketing.

And while marketing departments love to collect data on users, to be GDPR compliant, they must be able to show they have good reason to store the personal data they collect. A custom makeup company might be able to show why it needs to retain details of customers’ skin tones. An online hardware store, less so.

Benefits of GDPR compliance

(opens in new tab)

GDPR increases business trust and credibility. 

While virtually all of the provisions of the GDPR are to protect and empower the consumer, there are several advantages for the company, too. 

Because the GDPR requires businesses to be accountable, minimizing the use of customers’ personal data and ensuring it remains private, consumer trust grows. Compliant businesses may also attract more applications to jobs and retain staff for longer as the reputation of the company improves.

(opens in new tab)

Better control and understanding of data being collected. 

Accumulating massive amounts of personal data without a good understanding of how to use it is pointless and expensive. Companies faced with the stringent GDPR requirements have streamlined the data they keep and process, making for a better appreciation of this data and how it moves through the organization.

(opens in new tab)

Privacy as a right evens the playing field. 

Without regulations like the GDPR, companies that respected privacy often found themselves at a disadvantage to businesses that paid no attention to privacy. Implementing privacy by design is costly, and there is profit to be made in accumulating vast swathes of personal data.

With GDPR in place, the playing field has been leveled. All companies must implement data privacy throughout their organizations. Companies that value privacy are no longer at a disadvantage.

(opens in new tab)

GDPR makes for more accurate data.

When companies are required to perform data audits and remove outdated and unneeded data, the data that’s left behind is much more accurate. The rules have forced all departments to organize their data better, which has resulted in the most accurate, organized, and secure data to date.

The accuracy of this data has many advantages. Advertising and marketing efforts can be more effective and better targeted, for instance.

How much does GDPR compliance or noncompliance cost?

Complying with GDPR will have different costs depending on business size and type and can include costs for staffing and computing power. Companies that process sensitive personal data—for example, people’s health data, race, ethnic origin, or religious beliefs—must appoint a data protection officer who oversees the company’s compliance with GDPR.

GDPR noncompliance is costly. It can result in a fine of up to €20 million or 4% of a company’s annual global turnover, whichever is greater. This can come from a failure to protect the rights of data subjects, the unauthorized transfer of personal data internationally, or ignoring citizens’ requests for their data.

Fines of up to €10 million or 2% of a company’s annual global turnover are given for less egregious crimes, such as failing to report a data breach, failing to appoint a data protection officer when one is required, or failing to build a system with privacy in mind when storing personal data.

eu flags at the eu parliament

The cost of implementing GDPR-compliant measures can be offset by savings from streamlining how data is processed in your company (Image credit: Getty)


The most frequently-asked questions about GDPR.

How does GDPR affect email marketing?

GDPR has many rules governing email marketing. In brief, a company may not send an individual any email without their prior consent. However, you are allowed to email prior customers of your business, and you can email companies (though not sole traders, who are treated as individuals).

Has Brexit affected GDPR?

GDPR has not applied in the UK since the end of the Brexit transition in 2020. However, the UK had already enacted all of the GDPR requirements in an amendment to the UK Data Protection Act in 2018. In effect, companies in the UK must comply with the GDPR requirements just as their EU counterparts must, but the regulation is called the UK GDPR instead.

It is possible that the UK GDPR’s requirements could diverge from the EU GDPR’s in the future, though this is certainly unlikely in the short term.

Newspaper with Brexit headline

While Brexit has caused some complications for businesses, the UK and EU GDPR requirements remain virtually identical (Image credit: Dolapo Ayoade on Unsplash)

What are the seven principles of the GDPR?

In summary, individual personal data should be processed lawfully, fairly, and transparently. The data stored should be minimized and used for an express purpose for a set time. Attempts must be made to ensure personal data is accurate, up to date, and secure. Companies are accountable, and failure to comply can result in hefty fines.

What is considered personal data?

The GDPR doesn’t cover all types of data, just personal data. Personal data is any data that could be used to identify a specific living individual through any reasonable means. Some examples include location data, IP addresses, home addresses, cookie IDs, photos, personal email addresses, and unique mobile device IDs. 

Anonymized data and generic, catchall email addresses like are examples of data that is not covered by the GDPR.

Main takeaways

Vintage globe with Europe in focus

While the GDPR is an EU law, it has also become the model for privacy laws enacted in the UK, Turkey, and various US states (Image credit: Christian Lue on Unsplash)
  • GDPR outlines the requirements companies must meet when handling EU individuals’ personal data.
  • Companies must limit the personal data they record and have good reason to store or process it.
  • Businesses are required to secure personal data and have processes in place to minimize the chance of data breaches.
  • While initially challenging, meeting GDPR compliance can have benefits for companies, including increased customer trust and streamlined in-house data procedures.

Further reading

We discuss how the GDPR is having an impact on event data (opens in new tab), and some of the challenges businesses faced (opens in new tab) within the first year of GDPR enforcement. Now that GDPR has been in force for several years, we look at three strategies for ongoing GDPR compliance (opens in new tab) and guidelines for dealing with the risk of data breaches (opens in new tab).

You can also see how businesses have been keeping GDPR-compliant during the pandemic (opens in new tab) and a breakdown of the GDPR fines (opens in new tab) that have been dished out since the regulation came into effect.

Richard Sutherland
Richard Sutherland

Richard brings over 20 years of website development, SEO, and marketing to the table. A graduate in Computer Science, Richard has lectured in Java programming, and has built software for companies including Samsung and ASDA. Now, he writes for TechRadar, Tom's Guide, PC Gamer, and Creative Bloq.