What is the GDPR?
The General Data Protection Regulation (GDPR) is the EU’s comprehensive law on data privacy and protection. It came into effect on 25 May 2018, replacing the previous Data Protection Directive.
The GDPR harmonises data protection rules across the EU and gives individuals greater control over their personal data.
Because of its broad scope, the GDPR has become one of the most influential privacy laws worldwide.
Who does the GDPR apply to?
The GDPR applies to any company or organisation that processes personal data if it:
- Is based in the European Union;
- Is outside the EU but offers goods or services to EU residents, or monitors their behaviour; or
- Processes the personal data of EU residents, regardless of where it is located.
What is personal data?
Personal data means any information that identifies — or could identify — a person (called the data subject under the GDPR).
Examples include:
- Name, email address, or phone number
- Photo or video
- Postal address or location data
- Bank account or car registration number
- Social media account
What are “special categories” of personal data?
Special category data (previously called “sensitive data”) is a type of personal data that requires extra protection.
It includes information such as:
- Health data
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Genetic or biometric data
Because this data is more sensitive, it can only be processed under specific legal conditions set out in the GDPR. Organisations must have a valid legal basis and apply stronger safeguards to prevent misuse or discrimination.
What is data processing?
Data processing covers any action performed on personal data — from collection to deletion.
It includes activities such as:
- Recording and organising
- Storing and retrieving
- Sharing or disclosing
- Altering or erasing
Processing can be done manually or automatically through computers and software.