General Data Protection Regulation (GDPR)

What Is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents.

The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.

Customer-Service Requirements of the GDPR

Under the rules, visitors must be notified of data the site collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action. (This requirement largely explains the ubiquitous presence of disclosures that sites collect "cookies"—small files that hold personal information such as site settings and preferences.)

Sites must also notify visitors in a timely way if any of their personal data held by the site is breached. These EU requirements may be more stringent than those required in the jurisdiction in which the site is located.

Also mandated is an assessment of the site's data security, and whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function.

Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also include the ability to have their presence on the site erased, among other measures. (Naturally, the site must also add staff and other resources to be capable of carrying out such requests.)

Other Rules and Mandates of the General Data Protection Regulation (GDPR)

As further protection for consumers, the GDPR also calls for any personally identifiable information (PII) that sites collect to be either anonymized (rendered anonymous, as the term implies) or pseudonymized (with the consumer's identity replaced with a pseudonym). The pseudonymization of data allows firms to do some more extensive data analysis, such as assessing average debt ratios of its customers in a particular region—a calculation that might otherwise be beyond the original purposes of data collected for assessing creditworthiness for a loan.

The GDPR affects data beyond that collected from customers. Most notably, perhaps, the regulation applies to the human resources' records of employees.

Controversies Associated With the GDPR

The GDPR has attracted criticism in some quarters. The requirement to appoint DPOs, or simply to assess the need for them, some say, imposes an undue administrative burden on some companies. Some also complain that the guidelines are too vague on how best to deal with employee data.

In addition, data cannot be transferred to another country outside the EU, unless the receiving company guarantees the same degree of protection as the EU requires. This has led to complaints about costly disruption to business practices.

There's a further concern that the costs associated with GDPR will increase over time, in part because of the escalating need to educate customers and employees alike about data protection threats and solutions. There's also skepticism over how feasibly data protection agencies across the EU and beyond can align their enforcement and interpretation of the regulations, and so assure a level playing field as the GDPR goes into fuller effect.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. "Recital 32 - Conditions For Consent." Accessed Nov. 11, 2020.

  2. "Article 34 - Communication of a Personal Data Breach to the Data Subject." Accessed Nov. 11, 2020.

  3. "Article 37 - Designation of the Data Protection Officer." Accessed Nov. 11, 2020.

  4. "Article 38 - Position of the Data Protection Officer." Accessed Nov. 11, 2020.

  5. "Article 6 - Lawfulness of Processing." Accessed Nov. 11, 2020.

  6. "Article 88 - Processing in the Context of Employment." Accessed Nov. 11, 2020.

Compare Accounts
The offers that appear in this table are from partnerships from which Investopedia receives compensation. This compensation may impact how and where listings appear. Investopedia does not include all offers available in the marketplace.