The General Data Protection Regulation (GDPR) is the European Union law on data protection and privacy in force since 25 May 2018. Replaces the 1995 Data Protection Directive. Applies to any organization processing personal data of EU residents, regardless of where the organization is based. Maximum fine: 4% of annual global revenue or 20 million euros, whichever is higher.
What it means in practice
The headline penalties get the press; the operational reality for individuals is the rights GDPR creates. Right of access (Article 15): you can demand any organization holding your data produce it within 30 days. Right to erasure (Article 17, “right to be forgotten”): you can demand deletion under specific conditions. Right to data portability (Article 20): you can demand machine-readable export. Right to object to processing (Article 21): you can refuse profiling and direct marketing. The cumulative effect for a privacy-minded EU resident is leverage that does not exist in most US contexts. Enforcement varies by national data-protection authority; Ireland (which hosts most US tech subsidiaries) has historically been the slowest, France’s CNIL and the German Bundesdatenschutzbeauftragte are among the most aggressive.
Who it affects, and how
Affects every EU and EEA resident (Switzerland and the UK have substantively similar regimes), plus non-EU residents whose data is processed by EU-based controllers. The cross-border reach matters: a US company providing services to EU users is subject to GDPR for that data, which is why most global SaaS products now offer EU-resident data residency options and DSAR (Data Subject Access Request) workflows. For investigative journalists, NGO staff, and legal professionals working across EU borders, GDPR is both a defensive tool (protecting source data, enforcing minimization) and a target (publication of personal data of public figures sits in tension with the right to be forgotten).
What you can change today
Two practical actions for any EU resident. First, when a data broker, advertising network, or any organization holds your data and you want it gone, file a Subject Access Request followed by an Erasure Request via the organization’s privacy contact (every site must publish one; if not, file a complaint to your national DPA). Templates are available at noyb.eu (Max Schrems’ organization) and on most national DPA websites. Second, before signing up for any service, read the privacy policy section on data sharing and ad-tech partners; the GDPR-required disclosure is usually buried but is the most honest summary of where your data will end up.
