General Data Protection: What Every Business Must Know
Understand general data protection laws, principles, and compliance requirements. A practical guide covering GDPR, rights, and obligations for businesses.
General data protection has become one of the most significant regulatory topics for businesses operating online. Since the General Data Protection Regulation (GDPR) took effect in May 2018, organizations worldwide have had to rethink how they collect, store, and use personal information. Whether you run a small e-commerce shop or a multinational SaaS company, understanding general data protection law is no longer optional.
This guide covers the core principles of data protection, the rights it grants to individuals, and the practical steps your business needs to take. The information here is educational and should not be treated as legal advice. Consult a qualified attorney for guidance specific to your circumstances.
What Is General Data Protection?
General data protection is the body of law that governs how organizations handle personal information. The term is most closely associated with the General Data Protection Regulation (Regulation (EU) 2016/679), which replaced the 1995 Data Protection Directive and established a unified framework across all EU and EEA member states.
The GDPR defines personal data as any information relating to an identified or identifiable natural person (Article 4(1)). This includes obvious identifiers like names and email addresses, as well as less obvious ones like IP addresses, device fingerprints, and cookie identifiers.
The distinction between general data and personal data matters. Not all data falls under data protection law. Anonymized datasets that cannot be linked back to any individual are outside the GDPR's scope. However, pseudonymized data (where identifiers are replaced but re-identification is possible) remains personal data and remains regulated.
General data protection frameworks exist beyond the EU as well:
- United Kingdom: The UK GDPR and Data Protection Act 2018 mirror the EU GDPR post-Brexit
- Brazil: Lei Geral de Protecao de Dados (LGPD, Law No. 13,709/2018)
- United States: No single federal law, but sector-specific statutes (HIPAA, COPPA) and state laws like the California Consumer Privacy Act (CCPA)
- Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
- Australia: Privacy Act 1988 and the Australian Privacy Principles
While specifics differ across jurisdictions, the core concepts of transparency, purpose limitation, data minimisation, and individual rights recur in nearly every modern data protection framework.
The Seven Principles of General Data Protection
Article 5 of the GDPR establishes seven principles that form the foundation of all data processing. Every compliance decision your organization makes should trace back to these principles.
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner. Lawfulness requires a valid legal basis under Article 6 (such as consent, contractual necessity, or legitimate interests). Fairness means processing should not have unjustified adverse effects on individuals. Transparency means you must tell people what you are doing with their data in clear, plain language.
2. Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes. You cannot collect data for one stated reason and then use it for something entirely different. If you collect email addresses for order confirmations, you cannot later add those addresses to a marketing list without a separate lawful basis.
3. Data Minimisation
You must collect only the data that is adequate, relevant, and limited to what is necessary. Every data field you collect should serve a specific, documented purpose. If your checkout form asks for a date of birth but you have no age-related legal requirement, you are collecting more data than necessary.
4. Accuracy
Personal data must be accurate and, where necessary, kept up to date. You must take reasonable steps to ensure inaccurate data is erased or rectified without delay. This is particularly important for data that affects decisions about individuals, such as credit scores or employment records.
5. Storage Limitation
Data must be kept in identifiable form only for as long as necessary for the purposes for which it was collected. Holding onto customer data indefinitely "just in case" violates this principle. You need defined retention periods for each category of data, with documented deletion or anonymization processes.
6. Integrity and Confidentiality
You must process data in a way that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. Article 32 requires technical and organizational measures appropriate to the risk, such as encryption, access controls, and regular security testing.
7. Accountability
The controller must be able to demonstrate compliance with all of the above principles. This is the principle that makes data protection proactive rather than reactive. Documentation, policies, training records, Data Protection Impact Assessments, and Records of Processing Activities all serve the accountability principle.
Data Subject Rights Under General Data Protection Law
The GDPR grants individuals (called "data subjects") a set of enforceable rights over their personal data. These rights apply regardless of where the data controller is located, as long as the processing involves data of people in the EEA.
Right of access (Article 15): Individuals can request confirmation of whether their data is being processed and, if so, obtain a copy of the data along with details of the processing.
Right to rectification (Article 16): Individuals can request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Article 17): Also known as the "right to be forgotten," individuals can request deletion of their data when the data is no longer necessary, consent is withdrawn, or the processing is unlawful. This right is not absolute and does not override legal retention obligations.
Right to restriction of processing (Article 18): Individuals can request that processing be limited in certain circumstances, such as while the accuracy of data is being contested.
Right to data portability (Article 20): Individuals can request their data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
Right to object (Article 21): Individuals can object to processing based on legitimate interests or public task grounds. For direct marketing, the right to object is absolute.
You must respond to data subject requests within one month. Failure to respond, or responding inadequately, can lead to complaints to supervisory authorities and potential enforcement action.
How General Data Protection Applies to Websites
For website owners, general data protection intersects with nearly every aspect of how your site operates. Understanding where data protection obligations arise helps you build compliance into your site rather than bolting it on later.
Privacy policies: Article 13 requires you to provide detailed information about your data processing at the point of collection. Your privacy policy must cover the identity of the controller, purposes and lawful bases for processing, categories of recipients, retention periods, data subject rights, and whether data is transferred outside the EEA.
Cookie consent: The ePrivacy Directive (Directive 2002/58/EC), read alongside the GDPR, requires informed consent before placing non-essential cookies on a visitor's device. A compliant cookie consent banner must allow users to accept, reject, or customize cookie categories before any non-essential cookies are set. Your cookie policy should list every cookie, its purpose, provider, and duration.
Contact and registration forms: Every form that collects personal data should include a concise privacy notice explaining what happens to the data. Link to your full privacy policy rather than embedding the entire text.
Third-party integrations: Analytics tools, advertising pixels, embedded videos, social media widgets, and payment processors all involve sharing personal data with third parties. You need a lawful basis for each sharing arrangement, and your privacy policy must disclose these recipients.
International data transfers: If your website visitors are in the EEA but your hosting, analytics, or email service providers are in the United States or other third countries, Chapter V of the GDPR governs those transfers. Standard Contractual Clauses (SCCs) or an adequacy decision are typically required.
Building a General Data Protection Compliance Program
Compliance is not a one-time project. It requires ongoing processes that adapt as your business and the regulatory landscape evolve.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowConduct a data mapping exercise: Identify every category of personal data you process, where it comes from, where it goes, who has access, and how long it is retained. This becomes the foundation for your Records of Processing Activities (Article 30).
Establish your lawful bases: For each processing activity, determine which of the six lawful bases under Article 6 applies. Document your reasoning. If you rely on legitimate interests, complete a Legitimate Interests Assessment.
Publish clear privacy documentation: Your privacy policy, cookie policy, and any other data protection notices must be accurate, up to date, and written in plain language. Automated compliance tools like TermsBox can generate policies that reflect your site's actual data practices based on scanner results.
Implement consent management: Where consent is required, deploy a consent management platform (CMP) that records consent, allows granular choices, and makes withdrawal as easy as giving consent. This is particularly critical for cookies and marketing communications.
Secure your data: Implement technical measures proportionate to the sensitivity of the data you process. At minimum, this includes HTTPS encryption, access controls, regular software updates, and secure password policies. Article 32 does not prescribe specific technologies, but it requires measures appropriate to the risk.
Prepare for data subject requests: Create a documented process for receiving, verifying, and fulfilling access, rectification, erasure, and portability requests within the one-month deadline.
Plan for data breaches: Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals. Article 34 requires direct notification to affected individuals in cases of high risk. Have an incident response plan ready.
Train your team: Data protection is not just an IT or legal function. Anyone who handles personal data needs to understand the basics. Regular training reduces the risk of human error, which remains the leading cause of data breaches.
General Data Protection Beyond the GDPR
While the GDPR is the most influential general data protection law, businesses that operate globally must also consider other frameworks.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents rights to know, delete, and opt out of the sale or sharing of personal information. Violations can result in penalties of $2,500 to $7,500 per violation. Unlike the GDPR, the CCPA applies only to businesses meeting certain revenue or data volume thresholds.
The UK GDPR mirrors the EU GDPR in substance but is enforced independently by the UK Information Commissioner's Office (ICO). Post-Brexit divergence has been limited so far, but businesses serving both UK and EU customers need to comply with both regimes.
Brazil's LGPD shares many concepts with the GDPR, including lawful bases, data subject rights, and a dedicated supervisory authority (ANPD). Fines can reach 2% of the company's revenue in Brazil, capped at 50 million BRL per violation.
In the United States, the patchwork of state privacy laws continues to expand. Virginia, Colorado, Connecticut, Utah, and Texas have enacted comprehensive privacy statutes, each with their own requirements and enforcement mechanisms. A federal privacy law remains under discussion but has not been enacted as of early 2026.
For businesses operating across multiple jurisdictions, the practical approach is to build your compliance program around the strictest applicable standard, typically the GDPR, and then address jurisdiction-specific requirements on top. Your privacy policy should reflect compliance with every regime that applies to your audience.
Common General Data Protection Mistakes
Even organizations that take data protection seriously make avoidable errors. Recognizing these patterns helps you identify gaps in your own compliance program.
Relying on implied consent: Pre-ticked checkboxes, continued browsing as consent, or burying consent in lengthy terms of service do not meet GDPR standards. Consent must be a clear, affirmative act (Recital 32).
Treating privacy policies as formalities: A generic, template privacy policy that does not reflect your actual processing activities creates a compliance gap and a false sense of security. Your policy must be accurate and specific.
Ignoring third-party risk: Your compliance depends on the practices of every processor you engage. If your analytics provider or email service mishandles data, you as the controller remain responsible. Regular processor audits and Data Processing Agreements are essential.
No retention schedule: Collecting data without a plan for deletion leads to bloated databases and storage limitation violations. Define retention periods at the point of collection, not after a regulator asks.
Overlooking employee data: Data protection applies to employee records, not just customer data. Payroll, performance reviews, health information, and CCTV footage all require a lawful basis, transparency, and appropriate security.
Failing to update policies after changes: Adding a new analytics tool, switching email providers, or expanding to a new market all potentially change your data processing. Your documentation must keep pace with operational changes.
Frequently Asked Questions
What is general data protection?
General data protection refers to the legal framework governing how organizations collect, store, use, and share personal information. The most prominent example is the General Data Protection Regulation (GDPR), which applies across the European Economic Area. These laws establish rights for individuals and obligations for organizations to handle personal data responsibly and transparently.
What are the seven principles of data protection under GDPR?
Article 5 of the GDPR establishes seven principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles form the foundation of all GDPR compliance. Controllers must demonstrate adherence to every principle, not just follow them passively.
Does general data protection law apply to small businesses?
Yes. The GDPR applies to any organization that processes personal data of individuals in the EEA, regardless of the organization's size or location. There is no small business exemption in the GDPR. Some obligations, such as appointing a Data Protection Officer, have thresholds, but the core principles and data subject rights apply to every business.
What is the difference between general data and personal data?
General data refers broadly to any information, while personal data is a legal term defined in Article 4(1) of the GDPR as any information relating to an identified or identifiable natural person. Only personal data triggers data protection obligations. Examples of personal data include names, email addresses, IP addresses, and cookie identifiers. Anonymized data that cannot identify anyone is not personal data.