GDPR (General Data Protection Regulation)

GDPR (General Data Protection Regulation) is the European Union's data-protection regulation, in effect since May 2018. It governs the collection, processing, storage, and transfer of personal data belonging to EU residents — regardless of where the processing company is based.

Key principles: lawful basis for processing (consent, contract, legitimate interest, etc.), data minimization (collect only what's necessary), purpose limitation (use data only for the stated purpose), storage limitation (retain only as long as necessary), and accountability (document your compliance). Personal data is broadly defined: name, email, IP address, device ID, behavioral data all qualify.

User rights under GDPR: access (request a copy of all data held), rectification (correct inaccurate data), erasure (the 'right to be forgotten'), portability (export data in a machine-readable format), restriction (limit how data is processed), objection (opt out of certain processing). A request must be honored within 30 days.

Practical requirements for websites: a cookie banner with granular consent (analytics off by default until consent), a privacy policy describing what's collected and why, a sub-processors list (who else has access to the data), a data-processing agreement (DPA) with vendors, and a designated EU representative for non-EU companies serving EU users.

Fines: up to €20M or 4% of global annual revenue, whichever is higher. Enforcement has been steady and meaningful — Meta, Google, and Amazon have all received fines in the €100M+ range. The compliance cost for a typical SaaS startup is significantly lower than the fine risk — most teams handle it with a consent-management platform (Osano, Cookiebot, OneTrust) and a vetted privacy policy template.