The General Data Protection Regulation (GDPR) is a comprehensive data protection law passed by the European Union (EU).
After reading this article you will be able to:
Copy article link
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, is a comprehensive data privacy law that establishes a framework for the collection, processing, storage, and transfer of personal data. It requires that all personal data be processed in a secure fashion, and it includes fines and penalties for businesses that do not comply with these requirements. It also provides individuals with a number of rights regarding their personal data.
As technology advances and data collection grows more prevalent, data privacy has been put in the spotlight. At the time of its passage, the GDPR was the most comprehensive data privacy regulation. It harmonized separate data protection regulations from across the European Union (EU). It also extended the reach of those regulations to apply to non-EU organizations if they process personal data collected in the EU.
The GDPR applies to any company or organization regardless of geographical location if the company or organization offers goods and services to people in the EU or monitors their behavior within the EU.
The GDPR broadened the scope of what was considered personal data to include any information related to a natural identifiable person. This includes details that are obviously personal, such as someone's name and address, but also any other information that could be used to identify someone, including their IP address and certain cookie identifiers associated with a web browsing session.
The GDPR defines data controllers as entities that make decisions about the means and purposes for which personal data is collected and processed, and it defines data processors as entities that process personal data, typically on behalf of a data controller.
The GDPR also lays out seven key principles for how data controllers and processors should handle personal data:
In addition to describing these principles in detail, the GDPR requires several specific actions that data controllers and processors need to take. Some of these include:
The full requirements for data controllers and processors are described in the GDPR.
The GDPR defines a data subject as "an identified or identifiable natural person." Data subjects have the following rights:
The GDPR describes the fines that are to be imposed on businesses that violate its policies.
There are two tiers of fines under the GDPR, with each tier corresponding to a different category of violation:
In addition to these fines, data subjects can seek compensation for damages when a business violates the GDPR.
The Cloudflare mission is to help build a better Internet, and data privacy is core to that mission. Cloudflare builds its products with a "privacy by design" mindset and has released a number of services to increase user privacy (including the Cloudflare Data Localization Suite). Learn about Cloudflare and the GDPR.
Other privacy topics
Privacy and compliance
Learning Center Navigation