What Is the General Data Protection Regulation (GDPR)?

6 Min

It’s important to note that GDPR applies only to EU citizens and people physically in the EU but not just to EU countries or companies.

Regardless of physical location, companies may be subject to the GDPR if they collect or process any EU citizen’s personal data, offer goods and services to them, or monitor their behavior.

GDPR gives EU data subjects certain rights over the collection and use of their personal data.

GDPR provisions cover many areas related to the collection, storage, and protection of user data. Here are a few you should know.

1. Consent

A data subject must explicitly consent to their data being collected, used, processed, or stored.

They can revoke this consent at any time, unless there is a legal basis for keeping it.

2. "The right to be forgotten"

A user can ask to have all their data removed or erased.

3. Access and transfer of data

Data subjects can ask to access the data collected about them and request that it be transferred from one company to another.

4. Security breach notifications

If there is a security breach, relevant authorities must be notified within 72 hours.

If there is a high risk to individual users, they must be notified within that window as well.

GDPR applies to data collected in the past and data you plan to collect in the future.

Noncompliance can lead to fines of up to 4% of your global revenue or €20 million (about $24 million): whichever is higher.

Let's practice:

Paper Tech has a large presence within the EU. They are rewriting their terms of service.

Quiz 1 of 1

For GDPR compliance, what should Paper Tech tell users about their response to potential data breaches?

That they need their consent to collect data
That they will notify authorities within 72 hours
That they will transfer data if requested
That they will erase their data if requested


For more detailed information on the GDPR, visit: www.ico.org.uk

Lesson complete