GDPR (General Data Protection Regulation)

The European Union regulation governing how organizations collect, process, store, and share personal data of individuals in the EU and EEA. Enacted in 2018, it established consent requirements, data subject rights, and enforcement penalties that reshaped global marketing data practices.

GDPR took effect in May 2018 and changed how every organization touching EU personal data operates. It requires a lawful basis for processing personal data, gives individuals rights over their data (access, correction, deletion, portability), mandates breach notification within 72 hours, and enforces penalties up to 4% of global annual revenue.

For marketing, the impact was structural. Consent became the default basis for most data collection. Email lists had to be re-permissioned. Tracking pixels required opt-in. Data processing agreements became mandatory for every vendor in the stack. The regulation did not introduce privacy as a concept, but it attached real consequences to ignoring it.

The legislative template

GDPR’s reach extends past EU borders through extraterritorial application: any organization processing data of EU residents must comply, regardless of headquarters location. More importantly, GDPR set the legislative template. CCPA, Brazil’s LGPD, Canada’s updates to PIPEDA, and a wave of US state privacy laws all draw from GDPR’s framework.

For global marketing organizations, GDPR compliance is often the floor. Build to GDPR’s standard, and you can adapt to most other regulations with incremental effort. Build to a lower standard, and each new regulation requires its own remediation project.

Compliance does not have an end date

The first mistake is treating GDPR as a legal project that ended in 2018. Compliance is ongoing. New data processing activities require updated data protection impact assessments. Staff turnover means new employees need training. Vendor changes require new data processing agreements. Organizations that “got compliant” in 2018 and stopped maintaining the program are accumulating risk.

The second mistake is confusing consent with compliance. GDPR defines 6 lawful bases for processing, and consent is only one. Legitimate interest, contractual necessity, and legal obligation are alternatives that may apply depending on the processing activity. Defaulting to consent for everything creates unnecessary friction and consent fatigue when other bases would be both lawful and simpler to manage.

Frequently Asked Questions

Does GDPR apply to companies outside the EU?

Yes. GDPR applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is based. A US company targeting EU customers or monitoring EU user behavior falls under GDPR’s jurisdiction.

What is the difference between GDPR and CCPA?

GDPR requires a lawful basis (often consent) before processing personal data. CCPA gives consumers the right to know, delete, and opt out of the sale of their data, but does not require pre-collection consent for most processing. GDPR is broader in scope and stricter in enforcement. Both require operational changes to marketing data practices.

Related Definitions

  • PII (Personally Identifiable Information) — Any data that can identify a specific individual, either on its own or when combined with other information. Names, email addresses, phone numbers, social security numbers, IP addresses, and device identifiers can all qualify as PII depending on context and jurisdiction.
  • Consent Management — The practice and technology of collecting, recording, and enforcing user consent for data collection and processing. Consent management ensures that every marketing touchpoint respects the permissions a customer has granted or withheld.
  • Data Governance — The framework of policies, processes, roles, and standards that controls how an organization collects, stores, manages, and uses its data. It determines who can access what, how data quality is maintained, and how compliance obligations are met.
  • Third-Party Cookie Deprecation — The phasing out of third-party cookies by web browsers, removing the primary mechanism that advertisers and ad tech platforms used for cross-site tracking, retargeting, and behavioral targeting.