What Is GDPR?

Written by Coursera Staff • Updated on

Learn the principles of the GDPR and understand how this European data protection law governs the collection of data in Europe and beyond.

[Featured Image] Two colleagues look at a laptop and discuss GDPR while sitting on a plane, traveling to Europe.

The GDPR, or General Data Protection Regulation, is a European legal framework outlining rules for collecting and using personal data. The law came into effect in 2018 after approval in 2016, and a highly strict security law that applies globally. Its entrance obliged many companies to rewrite data protection policies and privacy procedures. 

In this article, you’ll look at the GDPR law in more detail and learn how it governs the collection and use of data in Europe and the rest of the world, as well as understand some benefits and limitations of complying with the GDPR.

What is GDPR?

The GDPR is a data security law in place to protect European consumer data by ensuring that organizations handling this information follow strict rules around its storage and usage. Data breaches are common with the rise in data collecting and storage via the cloud. Europe’s general data protection legislation puts consumers in control of their data and how companies use it. Any companies that violate the GDPR are subject to heavy fines.

The 7 principles of GDPR

The GDPR established a standardized approach to protecting consumer data and aims to stop companies and public entities from using it unlawfully. It gives people in the European Union (EU) the right to know what information businesses and organizations store; additionally, it allows them to have a say in how companies process that information. The GDPR outlines seven principles that companies must adhere to when storing and using data.

  1. Lawfulness, fairness, and transparency: As a company or organization collecting data, you must disclose what you will use it for and have consumer consent to do so. 

  2. Purpose limitation: You must use any data you collect from consumers for the stated purpose, which must be clearly outlined. If your organization wants to use an individual’s data for a new purpose other than that stated, you must contact them again for consent. 

  3. Data minimization: Companies must only collect data needed to fulfill their purpose. For example, you do not need to collect a phone number to subscribe a customer to an email list, so you should not ask for this. 

  4. Accuracy: Stored data must be accurate and audited regularly. Consumers have a right to change any data that is not accurate. 

  5. Storage limitation: Companies must justify how long they keep consumer data, which must be relevant to the need. You might detail this in a storage limitation policy.

  6. Integrity and confidentiality: Companies and organizations storing consumer data must ensure that it is safe from any threat, security breach, or damage. You must outline this in a policy and maintain it as an essential business practice. 

  7. Accountability: Records, policies, measures, and evidence must be in place to prove that a company or organization is adhering to the GDPR. Supervisory authorities can ask for this at any time.

Does GDPR affect businesses in the US?

While the GDPR is a European data protection law, it affects businesses worldwide that collect data from consumers in the EU. Given the nature of online business, most companies outside of Europe have some European customers or track website visitors who may be from Europe using data and so must comply with the GDPR. 

Fines for violating GDPR

Fines for violating the GDPR are extremely high, showing the importance the EU places on keeping data safe and using it ethically. For severe breaches of the GDPR, fines may total up to 4 percent of annual turnover or up to 20 million euros, whichever is higher [1]. For less extreme violations, fines can still be as high as 2 percent of global annual turnover [1].

To highlight the severity of GDPR fines, in early 2023, Meta Platforms Ireland received a fine of 1.2 billion euros for unlawfully transferring data to the US [2]. 

Benefits of GDPR

The GDPR has many benefits for the public and organizations that collect data, as it clearly outlines expectations and adds a layer of protection in a world where data security is a real threat. Let’s explore these benefits in more detail.

Protects rights

The GDPR protects consumers’ rights since businesses must follow strict guidelines around gathering and processing data. Consumers have the right to access their personal data and know how companies use it.

Improves reputation

Showing that your business works in line with the GDPR and takes it seriously builds trust with consumers and site visitors and enhances your reputation as an organization that recognizes the importance of data protection. 

Provides security for businesses and consumers

The GDPR ensures that proper security is in place to protect data otherwise, heavy fines may apply. This plays into cybersecurity procedures that ensure data is not accessed illegally. 

Gives more control to the consumer

Companies collecting data can be a worry for consumers. The GDPR puts the consumer in control by ensuring companies clearly outline the data they collect and state exactly how they will use it. Consumers can opt-in or decide not to allow your company to use their data. 

Protects people outside the EU too

The GDPR safeguards citizens who are living in any country in the EU. It also governs businesses outside the EU that may deal with consumer data from the EU. 

Limitations of GDPR

The GDPR has brought many benefits for protecting data and ensuring tight security; however, it has limitations, especially for small businesses. Let’s take a look below. 

Workload for SMEs

GDPR compliance involves a great number of policies and procedures, often at a big expense, leaving many small and medium-sized enterprises (SMEs) finding it difficult to comply. Data security methods such as encryption can be confusing, especially for small businesses without technical expertise. 

Hefty fines

Failing to comply with the GDPR can mean substantial fines that may run into millions of euros. This is a concern for any business, but for a small business, it is enough for many to have to cease trading.

Learn more with Coursera.

The GDPR is a complicated law that requires much research to ensure compliance. If this regulation affects how you run your business, or if you are a consumer wishing to understand more, you might consider an online course. Knowledge Accelerators delivers The ABCs of GDPR: Protecting Privacy in an Online World on Coursera.

Article sources


GDPR.EU. "What are the GDPR Fines?, https://gdpr.eu/fines/." Accessed March 22, 2024.

Keep reading

Updated on
Written by:

Editorial Team

Coursera’s editorial team is comprised of highly experienced professional editors, writers, and fact...

This content has been made available for informational purposes only. Learners are advised to conduct additional research to ensure that courses and other credentials pursued meet their personal, professional, and financial goals.