What is the GDPR?
Everything your organisation needs to know about the EU's General Data Protection Regulation
In 2016, the European Union enacted the General Data Protection Regulation โ one of the most sweeping privacy laws ever written. Whether your organisation is based in the EU or not, if you handle the personal data of EU individuals, the GDPR applies to you.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It is EU law designed to strengthen electronic privacy and unify data protection rules across member states.
The GDPR's core goal is simple: return control of personal data to the individual. It requires organisations to be transparent about what data they collect, how they use it, and to honour requests from individuals to access, correct, or delete it.
The regulation applies to the personal data of all EU citizens โ but its reach extends far beyond Europe's borders. Any business globally that collects, stores, or processes the personal data of EU individuals must comply. Key obligations include:
- Responding quickly to erasure requests ("right to be forgotten")
- Making personal data portable and accessible upon request
- Implementing appropriate technical and organisational security measures
- Reporting data breaches to authorities within 72 hours
โ ๏ธ Enforcement note: Although the GDPR was adopted in 2016, EU Data Protection Authorities began enforcing it on May 25, 2018. Fines for non-compliance can reach up to โฌ20 million or 4% of annual global turnover โ whichever is higher.
What data does the GDPR regulate?
The scope of "personal data" under the GDPR is broader than most organisations expect. Some examples are obvious โ email addresses, employee ID numbers, phone numbers. Others are less so.
Direct Identifiers
Names, email addresses, phone numbers, national ID numbers, employee IDs
Location & Behavioural Data
Geolocation data and behavioural tracking that can be traced back to a specific individual
Online Identifiers
IP addresses โ a significant departure from prior privacy laws โ if they can be combined with other data to identify a person
Sensitive Categories
Health data, biometric data, genetic data, religious beliefs, and political opinions receive heightened protection
Critically, the GDPR was written to be future-proof. It does not provide a finite list of regulated data types. The guiding principle: if a piece of data can identify a living EU individual โ directly or indirectly โ it counts as personal data.
IP addresses as personal data is a notable change from earlier frameworks like Safe Harbour and Privacy Shield. Under the GDPR, an IP address qualifies as personal data when it can be combined with other information to identify an individual.
The history of the GDPR
The EU has led on privacy law for decades. Understanding the GDPR's origins helps organisations appreciate why it carries such weight โ and why compliance is non-negotiable.
EU Data Protection Directive
The EU adopted its landmark Data Protection Directive, broadly defining personal data as "any information relating to an identified or identifiable natural person." This became the foundation for privacy law across all EU member states for over two decades.
GDPR Adopted
The EU formally adopted the General Data Protection Regulation, replacing the 1995 Directive with a single, directly enforceable regulation across all member countries. A two-year transition period gave organisations time to prepare.
Enforcement Begins
On May 25, 2018, EU Data Protection Authorities began active enforcement. Organisations found in breach faced significant fines, and regulators across Europe launched investigations into major technology companies.
Key requirements for businesses
The GDPR introduced new obligations for any organisation processing EU personal data โ regardless of where in the world that organisation is headquartered.
Lawful basis for processing
Every act of data collection or processing must have a documented lawful basis โ such as consent, contract necessity, or legitimate interest.
Right to erasure
Individuals can request their personal data be deleted. Organisations must be able to locate and remove that data across all systems promptly.
Data portability
Individuals have the right to receive their personal data in a structured, machine-readable format and to transfer it to another service.
Breach notification
In the event of a data breach, organisations must notify the relevant supervisory authority within 72 hours of becoming aware of the incident.
Need help preparing your organisation for GDPR compliance?
Iron Cove Solutions helps organisations implement the identity and access management infrastructure needed to meet GDPR obligations โ from data access controls to audit trails and erasure workflows.