What it is
The GDPR is the EU’s data privacy law. It sets clear rules for how organizations collect, use, share, and store personal data - and gives people strong rights over their information, no matter where a company is based if it serves EU residents.
Why it matters
For individuals, GDPR means control: you can see what’s held about you, fix it, take it with you, or ask for deletion. For organizations, it means accountability: be transparent, get valid consent, secure data, and prove you did.
Key rights at a glance
-
Access & portability - get a copy of your data, often in a reusable format
-
Rectification & deletion - fix mistakes or request erasure in many cases
-
Restriction & objection - limit or stop certain processing, including marketing
-
Breach notices - be informed when a serious data breach puts you at risk
What organizations must do
-
Have a lawful basis - consent, contract, legitimate interests, and so on
-
Minimize data - collect only what’s needed and keep it only as long as required
-
Secure by design - encryption, access controls, regular testing
-
Be transparent - clear privacy notices and easy opt-outs
-
Manage vendors - data processing agreements and due diligence
-
Document and respond - records of processing, DPIAs for risky activities, breach response within 72 hours
Quick checklists
For individuals
-
Review privacy settings and marketing preferences
-
Use your access and deletion rights where it helps
-
Opt out of tracking you don’t want and use strong passwords + MFA
For organizations
-
Map personal data flows and set retention schedules
-
Update privacy notices and cookie banners for clarity
-
Enable DSAR handling - verify identity and respond on time
-
Train staff and test incident response regularly