What Is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law, enacted in 2016 and effective since May 2018. It governs how organizations worldwide collect, process, and store the personal data of individuals within the EU, establishing one of the most influential privacy frameworks globally and setting a benchmark that has shaped data protection laws across jurisdictions.

Scope and applicability

The GDPR applies to any organization that processes the personal data of EU residents, regardless of the organization's location within the EU. A company based in the United States, Asia, or elsewhere must comply with the GDPR if it collects or processes data from individuals in the European Union. This extraterritorial reach makes GDPR a de facto global standard for organizations operating internationally.

The regulation defines personal data broadly to encompass any information that relates to an identified or identifiable individual. This encompasses obvious identifiers, such as names and addresses, but also extends to IP addresses, location data, biometric information, and any other data that could be used to identify a person directly or indirectly.

Core principles

GDPR establishes fundamental principles for data processing. Data must be processed lawfully, fairly, and transparently. Collection must be limited to what's necessary for specified, explicit purposes. Data must be accurate and kept up to date. Storage should be limited to the period necessary for the purposes for which it's processed. And organizations must implement appropriate security measures to protect personal data.

These principles shift the burden of proof to organizations. Rather than individuals having to demonstrate harm, organizations must demonstrate compliance with these principles and document their data processing activities.

Individual rights

The regulation grants EU residents a comprehensive set of rights over their personal data. The right to access allows individuals to obtain confirmation of whether their data is being processed and to receive a copy of that data. The right to rectification allows for the correction of inaccurate or incomplete data. The right to erasure (often called the "right to be forgotten") allows individuals to request deletion of their data under certain circumstances.

Additional rights include data portability (the ability to receive personal data in a structured, machine-readable format), the right to object to certain types of processing, and rights related to automated decision-making and profiling. Organizations must respond to these requests within specified timeframes.

Consent requirements

GDPR requires organizations to have a valid lawful basis for data processing, which may include consent, legal obligation, public task, contract performance, or legitimate interests, depending on the context. Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes or implied consent don't meet the standard. Organizations must clearly explain what data they're collecting, why, and how it will be used.

Importantly, individuals must be able to withdraw consent as easily as they gave it. Organizations can't make services conditional on consenting to data processing that isn't necessary for providing those services.

Enforcement and penalties

Enforcement is handled by data protection authorities in each EU member state. Noncompliance can result in substantial penalties, up to €20 million or 4% of global annual revenue, whichever is higher. These significant penalties have made GDPR compliance a priority for organizations worldwide.

Beyond formal penalties, GDPR has changed organizational behavior through reputational concerns and the visibility of enforcement actions. Significant fines against prominent companies have demonstrated that regulators are willing to use their authority.

GDPR and digital identity

GDPR has direct implications for digital identity systems operating in or serving EU residents. Online verification that creates logs of credential presentations may raise compliance issues if every verification event is recorded. Server retrieval models that query issuers in real time must consider whether they're creating surveillance possibilities that violate GDPR principles.

Privacy-preserving approaches to digital identity, selective disclosure, offline verification, and minimal data collection align naturally with GDPR requirements. Systems designed to share only necessary information, avoid centralized logging, and give individuals control over their data support both privacy principles and regulatory compliance.

Global influence

GDPR has influenced privacy legislation worldwide. California's Consumer Privacy Act, Virginia's Consumer Data Protection Act, and similar laws in other U.S. states draw on GDPR concepts. Countries across Asia, South America, and Africa have adopted GDPR-influenced frameworks. The regulation has effectively established a global baseline for privacy protection that organizations must consider regardless of their primary market.

For digital identity systems, this means designing for privacy isn't just good practice, it's increasingly a legal requirement across multiple jurisdictions. Systems that embed privacy protections from the outset are better positioned for compliance as global privacy regulations continue to expand.