General Data Protection refers primarily to the General Data Protection Regulation (GDPR), a robust data privacy and security law enacted by the European Union to protect personal data and privacy for all individual citizens of the EU and the European Economic Area (EEA).

What is general data protection?

The General Data Protection Regulation (GDPR) is a comprehensive legal framework that sets guidelines for the collection and processing of personal information from individuals within the European Union and European Economic Area. It represents the most significant piece of data protection legislation in recent decades, establishing strict rules on how organisations must obtain, store, process, and protect personal data.

The regulation emphasizes several core principles:

• Accountability – Organisations must demonstrate compliance with data protection principles
• Transparency – Clear communication about how personal data is used
• Data subject rights – Individuals have control over their personal information
• Data minimisation – Only collecting data that is necessary for the stated purpose

Why is general data protection important?

General data protection is crucial because it:

• Gives individuals control over their personal data and how it's used
• Creates a unified regulatory environment across all EU member states
• Simplifies compliance for international businesses operating within the EU
• Establishes clear consequences for data breaches and non-compliance
• Builds trust between organisations and their customers

With penalties reaching up to €20 million or 4% of global annual turnover (whichever is higher), organisations have strong incentives to take data protection seriously.

How to comply with general data protection?

Compliance with GDPR requires organisations to implement several key measures:

1. Obtain lawful consent – Ensure you have a valid legal basis for processing personal data
2. Maintain transparency – Clearly inform individuals about how their data will be used
3. Respect data subject rights – Respond to access requests, deletion requests, and other rights within required timeframes
4. Implement security measures – Protect personal data against unauthorised access or breaches
5. Appoint a Data Protection Officer (DPO) – When required by the regulation
6. Keep records – Document all data processing activities

Practical examples

Example 1: Marketing communications A company wants to send marketing emails to EU customers. To comply with GDPR, they must obtain explicit consent before sending any marketing materials, clearly stating how the customer's data will be used. This means implementing opt-in mechanisms rather than pre-ticked boxes.

Example 2: Data access request An individual exercises their right to access all personal data a company holds about them. Under GDPR, the company must provide this information within one month of receiving the request, free of charge, in an accessible format.

When did general data protection regulation come into force?

The GDPR was adopted on 14 April 2016 and became enforceable on 25 May 2018. It replaced the previous Data Protection Directive 95/46/EC, significantly strengthening data protection requirements across the EU.

Which entities must follow general data protection rules?

The scope of GDPR extends beyond EU borders. The regulation applies to:

• All organisations established within the EU that process personal data
• Organisations outside the EU that offer goods or services to EU residents
• Organisations that monitor the behaviour of individuals within the EU

This means a company based in the United States, for example, must comply with GDPR if it processes personal data of EU residents, regardless of where the actual data processing takes place.

For official guidance, organisations can refer to the Official GDPR Text on EUR-Lex, the European Data Protection Board (EDPB), and national data protection authorities such as the UK's Information Commissioner's Office (ICO), France's CNIL, or Germany's BfDI.