General Data Protection Regulation
A European Union regulation that sets strict rules for the collection, use, and protection of personal data.
Updated April 23, 2026
How It Works in Practice
The General Data Protection Regulation (GDPR) requires organizations operating within the European Union (EU), as well as those outside the EU that process EU residents' personal data, to follow strict rules on how they collect, use, and safeguard this information. It mandates that personal data must be processed lawfully, transparently, and for specific purposes. Individuals are granted rights such as accessing their data, correcting inaccuracies, and requesting deletion. Organizations must also obtain clear consent before processing personal data and notify authorities and affected individuals promptly in the event of data breaches.
Why It Matters
In the digital age, personal data has become a valuable asset but also a potential source of harm when mishandled. The GDPR strengthens individuals' control over their personal information, promoting privacy and trust in digital services. It also harmonizes data protection laws across EU member states, simplifying compliance for businesses and enhancing legal certainty. For diplomacy and political science, GDPR exemplifies how supranational regulations can impact global data flows, sovereignty, and international relations.
GDPR vs Other Data Protection Laws
While many countries have their own data protection laws, GDPR is notable for its extraterritorial reach—it applies to any entity processing the data of EU residents, regardless of the entity’s location. This contrasts with laws like the US’s sector-specific regulations, which often apply only domestically. GDPR’s comprehensive approach and heavy penalties for non-compliance (up to 4% of global annual turnover) set a high standard globally, influencing other jurisdictions to adopt similar frameworks.
Real-World Examples
A multinational company collecting customer data from EU citizens must comply with GDPR, even if it has no physical presence in the EU. For example, Google was fined €50 million by French regulators in 2019 for failing to provide transparent information about data consent, illustrating GDPR’s enforcement power. Moreover, GDPR has led to widespread changes in privacy policies and data handling practices worldwide.
Common Misconceptions
One misconception is that GDPR applies only to companies based in Europe. In reality, it applies to any organization processing the personal data of EU residents, no matter where the organization is located. Another misunderstanding is that GDPR bans all data processing; instead, it requires lawful bases and transparency but does not prohibit data use outright. Finally, some believe only large firms are affected, but GDPR applies to small and large entities alike if they handle relevant data.
Example
In 2018, the GDPR prompted Facebook to revise its privacy policies globally to comply with the regulation's strict data protection requirements.