General Data Protection: What Businesses Must Know
Learn what general data protection means, how the GDPR works, and the steps your business needs to take to comply with data protection regulations.
General data protection is the legal framework that governs how organizations collect, store, and use personal information. If your website or application handles data from people in the European Union, understanding general data protection is not optional.
This article is educational content about data protection law. It is not legal advice, and you should consult a qualified attorney for questions specific to your situation.
What Is General Data Protection?
General data protection refers broadly to the body of law that safeguards personal data. In practice, when people search for "general data protection," they are almost always referring to the General Data Protection Regulation (GDPR), the EU regulation that became enforceable on May 25, 2018.
The GDPR replaced the 1995 Data Protection Directive and set a new global standard for privacy rights. It applies to every organization, regardless of location, that processes personal data of individuals in the European Economic Area (EEA). This extraterritorial reach, defined in Article 3, is what makes the GDPR relevant to businesses worldwide.
At its core, general data protection law answers three questions:
- What personal data can an organization collect?
- Under what conditions can that data be processed?
- What rights do individuals have over their own information?
Key Principles of the GDPR
The GDPR is built on seven principles laid out in Article 5. Every compliance decision your business makes should trace back to these:
- Lawfulness, fairness, and transparency. You need a valid legal basis for every processing activity, and you must explain your practices in plain language.
- Purpose limitation. Data can only be collected for specific, explicit, and legitimate purposes. You cannot repurpose data without a compatible legal basis.
- Data minimization. Collect only what you actually need. If a form does not require a phone number, do not ask for one.
- Accuracy. Personal data must be kept accurate and up to date. You should have processes to correct or delete inaccurate records.
- Storage limitation. Data should be retained only as long as necessary for the stated purpose. Define retention periods and enforce them.
- Integrity and confidentiality. Organizations must implement appropriate technical and organizational security measures, such as encryption, access controls, and regular audits.
- Accountability. You must be able to demonstrate compliance, not just claim it. This means documentation, records of processing activities, and evidence of decision-making.
These principles form the foundation of what the general data protection regulations require. Every policy, process, and tool you implement should support at least one of them.
Who Must Comply with GDPR Regulations
A common misconception is that the GDPR only applies to EU-based companies. Under Article 3, the regulation applies to any organization that:
- Is established in the EU or EEA, regardless of where the actual processing takes place
- Offers goods or services to individuals in the EU, even if no payment is involved
- Monitors the behavior of individuals in the EU, such as through website tracking or analytics
This means a business in the United States, Australia, or anywhere else is subject to GDPR regulations if its website uses cookies that track EU visitors or if it collects email addresses from EU-based subscribers.
Small business considerations
There is no blanket exemption for small businesses under the GDPR. Some obligations, such as appointing a Data Protection Officer (DPO) under Article 37, apply only to organizations whose core activities involve large-scale processing. However, the fundamental requirements around lawful processing, transparency, and data subject rights apply to businesses of every size.
If your website collects personal data from EU visitors, you need at minimum:
- A clear and comprehensive privacy policy that meets Article 13 and 14 disclosure requirements
- A lawful basis for each type of processing you perform
- A process for responding to data subject rights requests within one calendar month
Legal Bases for Processing Personal Data
Under Article 6 of the GDPR, every instance of data processing requires one of six legal bases:
- Consent. The individual has given clear, informed, and freely given agreement. Consent must be as easy to withdraw as it is to give.
- Contractual necessity. Processing is necessary to perform or enter into a contract with the individual. For example, you need a shipping address to deliver a product.
- Legal obligation. Processing is required to comply with a law, such as tax reporting or anti-money laundering requirements.
- Vital interests. Processing is necessary to protect someone's life. This is rarely applicable to standard business operations.
- Public task. Processing is necessary to perform a task in the public interest or in the exercise of official authority.
- Legitimate interests. Processing is necessary for a legitimate interest that is not overridden by the individual's rights. This requires a documented balancing test.
For most website operators, the primary legal bases are consent (for marketing emails, analytics, and advertising cookies) and contractual necessity (for account creation, order processing, and customer support).
Consent requirements under GDPR
When relying on consent as a legal basis, the GDPR sets a high bar under Article 7:
- Consent must be informed, meaning you explain what data you collect and why
- Consent must be freely given, with no pre-checked boxes or forced bundling
- Consent must be specific, covering each distinct processing purpose separately
- Consent must be unambiguous, requiring a clear affirmative action like checking a box or clicking a button
- Withdrawal of consent must be as simple as giving it
Data Subject Rights Under General Data Protection Law
One of the most significant aspects of general data protection is the set of enforceable rights it grants to individuals. Under Chapters III and IV of the GDPR, data subjects can exercise the following:
- Right of access (Article 15). Individuals can request confirmation of whether their data is being processed and obtain a copy of that data.
- Right to rectification (Article 16). Individuals can request correction of inaccurate personal data.
- Right to erasure (Article 17). Often called the "right to be forgotten," this allows individuals to request deletion of their data when it is no longer necessary for its original purpose or when consent is withdrawn.
- Right to restriction (Article 18). Individuals can request that processing be limited in certain circumstances, such as while accuracy is contested.
- Right to data portability (Article 20). Individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Article 21). Individuals can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, the objection is absolute.
Organizations must respond to these requests within one calendar month under Article 12(3). The response period can be extended by two additional months for complex requests, but the individual must be informed of the extension within the first month.
Enforcement and Penalties for Non-Compliance
The general data protection regulations carry significant enforcement powers. Supervisory authorities in each EU member state oversee compliance, investigate complaints, and impose corrective measures.
Fine structure
Article 83 of the GDPR establishes a two-tier penalty system:
- Lower tier (up to 10 million EUR or 2% of global annual turnover). For violations related to record-keeping, data protection impact assessments, and DPO requirements.
- Upper tier (up to 20 million EUR or 4% of global annual turnover). For violations of core principles, lawful processing conditions, data subject rights, and international transfer rules.
Notable enforcement actions
Regulators have issued substantial fines since the GDPR took effect:
- Meta received a 1.2 billion EUR fine in 2023 for unlawful data transfers to the United States
- Amazon was fined 746 million EUR in 2021 by the Luxembourg CNPD for advertising-related processing without proper consent
- Google received a 50 million EUR fine from the French CNIL in 2019 for lack of transparency and valid consent for ad personalization
These cases demonstrate that enforcement is not theoretical. Regulators prioritize violations involving transparency failures, inadequate consent mechanisms, and unlawful data transfers.
How to Comply with General Data Protection Requirements
Compliance with GDPR regulations is an ongoing process, not a one-time project. Here is a practical approach for website owners and small businesses:
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowStep 1: Map your data
Document every type of personal data you collect, where it comes from, why you collect it, who you share it with, and how long you keep it. This data map forms the basis of your Record of Processing Activities (ROPA), required under Article 30.
Step 2: Establish legal bases
For each processing activity, identify and document the legal basis you rely on. If you rely on consent, make sure your consent mechanism meets the requirements of Article 7.
Step 3: Update your privacy policy
Your privacy policy must include all disclosures required by Articles 13 and 14 of the GDPR. Use a privacy policy generator as a starting point, then customize it with your specific data practices, retention periods, and third-party processors.
Step 4: Implement cookie consent
If your website uses non-essential cookies or tracking technologies, you need a consent management platform (CMP) that collects opt-in consent before those cookies fire. Tools like TermsBox provide a cookie consent banner alongside a compliance scanner that identifies what cookies and trackers your site uses.
Step 5: Build a rights request process
Create a clear, documented process for handling data subject access requests (DSARs). Include intake channels, identity verification steps, response timelines, and escalation procedures.
Step 6: Review vendor agreements
Under Article 28, you must have data processing agreements (DPAs) with every processor that handles personal data on your behalf. Review contracts with analytics providers, email platforms, payment processors, and hosting services.
Step 7: Train your team
Everyone who handles personal data should understand the basics of GDPR compliance. This includes customer support staff, marketing teams, and developers.
GDPR and International Data Transfers
Chapter V of the GDPR restricts transfers of personal data to countries outside the EEA unless adequate protections are in place. The primary mechanisms for lawful international transfers are:
- Adequacy decisions. The European Commission has recognized certain countries as providing an adequate level of data protection. As of 2024, this list includes the United Kingdom, Japan, South Korea, Canada (for commercial organizations), and the United States under the EU-U.S. Data Privacy Framework.
- Standard Contractual Clauses (SCCs). Pre-approved contractual templates that impose GDPR-equivalent obligations on the data importer.
- Binding Corporate Rules (BCRs). Internal policies approved by a supervisory authority for transfers within a corporate group.
If you use cloud services, analytics tools, or email platforms based in the United States, confirm that the provider participates in the Data Privacy Framework or has executed current SCCs.
General Data Protection Beyond the EU
The GDPR has influenced data protection legislation worldwide. Several jurisdictions have enacted similar laws:
- United Kingdom. The UK GDPR (retained EU law post-Brexit) mirrors the EU regulation, enforced by the Information Commissioner's Office (ICO).
- California (United States). The California Consumer Privacy Act (CCPA), amended by the CPRA, follows an opt-out model rather than opt-in but grants similar rights around access, deletion, and data portability.
- Brazil. The Lei Geral de Protecao de Dados (LGPD) is closely modeled on the GDPR.
- Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA) shares principles with the GDPR, with proposed updates under the Consumer Privacy Protection Act.
For businesses serving a global audience, building your compliance program around the GDPR's requirements as a baseline will cover most of what other jurisdictions require. You can then layer on region-specific rules, such as CCPA opt-out mechanisms or LGPD data officer appointments, as needed.
A comprehensive privacy policy that addresses GDPR disclosures will typically satisfy the notice requirements of most other data protection laws as well.
Frequently Asked Questions
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is an EU law that took effect on May 25, 2018. It governs how organizations collect, store, and process personal data of individuals in the European Economic Area, and it applies to any business worldwide that handles such data.
Does general data protection law apply outside the EU?
Yes. The GDPR has extraterritorial scope under Article 3. Any organization that offers goods or services to people in the EU, or monitors their behavior, must comply regardless of where the business is headquartered.
What are the penalties for violating GDPR regulations?
Supervisory authorities can impose fines up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83 of the GDPR. Lower-tier violations carry fines up to 10 million EUR or 2% of turnover.
What rights do individuals have under general data protection rules?
Data subjects have the right of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), and the right to object to processing (Article 21). Organizations must respond to rights requests within one calendar month.