GDPR (General Data Protection Regulation)
The law the data stack answers to — lawful bases, real consent, enforceable rights, and fines that made privacy a board topic.
- Term
- GDPR (General Data Protection Regulation)
- Is
- The EU's General Data Protection Regulation
- Applicable since
- May 25, 2018
- Teeth
- Fines to 4% of global revenue or €20M
Forms & parts of speech
Definition in plain terms
The GDPR — the EU's General Data Protection Regulation, adopted 2016 and applicable since May 25, 2018 — is the comprehensive law governing personal data: any information relating to an identifiable person, processed by anyone targeting or monitoring people in the EU, wherever the company sits. It is the root system of modern privacy practice — the CCPA-family state laws, India's DPDPA, and the consent infrastructure this glossary documents all grew in its shadow — and the reason data protection became a board topic: fines reach 4% of global revenue or €20 million, whichever is higher.
The mechanics
The architecture marketers live inside: every processing purpose needs a lawful basis (six exist; marketing mostly runs on consent and legitimate interest — consent to the GDPR's standard is freely given, specific, informed, and unambiguous, the bar that killed pre-ticked boxes, while legitimate interest demands the documented balancing test and survives objection rights), the data-subject rights are operational obligations (the DSAR entry's access machinery, erasure, portability, objection — each with the one-month clock), and accountability is structural: records of processing, data-protection impact assessments for risky processing, processor contracts (the DPA every vendor signature chain carries), breach notification at 72 hours, and data-protection officers where scale demands. The marketing-specific seams: consent for tracking arrives via the EPRIVACY-DIRECTIVE with GDPR defining the consent's quality (the two-law split that entry explains), profiling and automated decisions carry extra rights, international transfers run the EU-US-DATA-PRIVACY-FRAMEWORK and SCC machinery, and enforcement has repeatedly aimed at marketing's plumbing — consent banners, adtech's TCF framework, and behavioral advertising's lawful-basis claims producing the headline fines. The compliance posture that works is this glossary's recurring one: privacy as engineered data flow — consent wired to firing rules, rights wired to systems, vendors mapped — not policy PDFs.
When it matters
The GDPR matters to anyone with EU users — extraterritorially, by design — and as the template even where it doesn't bind: building to its standard is how global stacks stay coherent (the strictest-common-denominator strategy the state-law entries recommend). It matters most at the lawful-basis choices (consent versus legitimate interest decides UX, data volume, and risk), the rights plumbing, and vendor chains. The discipline: one basis per purpose, documented; consent to the real standard; rights that work end to end; and the standing audit of what actually fires, because enforcement reads tag managers, not mission statements. (General information, not legal advice.)
Synonyms & antonyms
Synonyms
Antonyms
Origin & history
The GDPR was adopted in April 2016 and became applicable May 25, 2018 — replacing the 1995 Directive with directly binding regulation, extraterritorial scope, and the fine schedule that made privacy a board topic; it remains the template the world's privacy laws keep copying.
Etymology: source.
Usage trends
Search interest for this term over the last five years:
Common questions
- What is the GDPR?
- The EU's General Data Protection Regulation — applicable since May 25, 2018 — governing personal data with extraterritorial reach, enforceable rights, and fines to 4% of global revenue.
- What lawful bases does marketing use under GDPR?
- Mostly consent (freely given, specific, informed, unambiguous — no pre-ticked boxes) and legitimate interest (requiring a documented balancing test and honoring objections).
- How do GDPR and ePrivacy fit together?
- ePrivacy requires consent before storing or reading anything on a device; GDPR defines that consent's quality and governs the processing afterward — the banner answers to both.
Related tools & calculators
- toolCAC calculator
- toolLTV:CAC calculator
Resources & people to follow
- referenceGDPR — full text (gdpr-info.eu)
- referenceWikipedia — GDPR
- referenceRGM analysis — one basis per purpose, wired not written; enforcement reads the tag manager
Curated, non-competitor resources verified per term.
Related training
- modulePerformance marketing
Disciplines
Areas of marketing where gdpr is a core concern: