Growth Marketing Glossary

GDPR (General Data Protection Regulation)

G·D·P·Rnoun (law)

The law the data stack answers to — lawful bases, real consent, enforceable rights, and fines that made privacy a board topic.

GDPRlawful basis for every useconsent - freely given, specificrights: access, erasure, portabilityfines to 4% of global revenueapplicable since May 25, 2018the regulation the modern data stack answers to
Schematic — the regulation's marketing surface
Term
GDPR (General Data Protection Regulation)
Is
The EU's General Data Protection Regulation
Applicable since
May 25, 2018
Teeth
Fines to 4% of global revenue or €20M

Forms & parts of speech

GDPR · noun
The EU's privacy baseline.
"Every consent banner, DSAR portal, and DPA in the stack traces to one root - the GDPR."

Definition in plain terms

The GDPR — the EU's General Data Protection Regulation, adopted 2016 and applicable since May 25, 2018 — is the comprehensive law governing personal data: any information relating to an identifiable person, processed by anyone targeting or monitoring people in the EU, wherever the company sits. It is the root system of modern privacy practice — the CCPA-family state laws, India's DPDPA, and the consent infrastructure this glossary documents all grew in its shadow — and the reason data protection became a board topic: fines reach 4% of global revenue or €20 million, whichever is higher.

The mechanics

The architecture marketers live inside: every processing purpose needs a lawful basis (six exist; marketing mostly runs on consent and legitimate interest — consent to the GDPR's standard is freely given, specific, informed, and unambiguous, the bar that killed pre-ticked boxes, while legitimate interest demands the documented balancing test and survives objection rights), the data-subject rights are operational obligations (the DSAR entry's access machinery, erasure, portability, objection — each with the one-month clock), and accountability is structural: records of processing, data-protection impact assessments for risky processing, processor contracts (the DPA every vendor signature chain carries), breach notification at 72 hours, and data-protection officers where scale demands. The marketing-specific seams: consent for tracking arrives via the EPRIVACY-DIRECTIVE with GDPR defining the consent's quality (the two-law split that entry explains), profiling and automated decisions carry extra rights, international transfers run the EU-US-DATA-PRIVACY-FRAMEWORK and SCC machinery, and enforcement has repeatedly aimed at marketing's plumbing — consent banners, adtech's TCF framework, and behavioral advertising's lawful-basis claims producing the headline fines. The compliance posture that works is this glossary's recurring one: privacy as engineered data flow — consent wired to firing rules, rights wired to systems, vendors mapped — not policy PDFs.

When it matters

The GDPR matters to anyone with EU users — extraterritorially, by design — and as the template even where it doesn't bind: building to its standard is how global stacks stay coherent (the strictest-common-denominator strategy the state-law entries recommend). It matters most at the lawful-basis choices (consent versus legitimate interest decides UX, data volume, and risk), the rights plumbing, and vendor chains. The discipline: one basis per purpose, documented; consent to the real standard; rights that work end to end; and the standing audit of what actually fires, because enforcement reads tag managers, not mission statements. (General information, not legal advice.)

Worked example. A US-based SaaS company 'adds GDPR compliance' in 2018 - a banner, a policy page - and the 2026 audit finds the costume: consent recorded but never gating the tags (the ePrivacy entry's classic), marketing emails running on a 'legitimate interest' nobody balanced or documented, DSARs handled ad hoc at three weeks, and twelve processors without DPAs. The re-engineering runs the architecture: purposes inventoried and each assigned its basis (newsletter to consent, product-usage analytics to a documented legitimate-interest assessment with objection honored), the CMP wired as enforcement feeding Consent Mode, the DSAR pipeline rebuilt to the one-month clock with the data map doing discovery, DPAs papered across the vendor chain, and the breach playbook rehearsed against the 72-hour clock. The next EU enterprise deal's security review - the first audience that ever reads these documents closely - passes in a week instead of a quarter. The fine never came; the architecture paid anyway.
Failure modes to watch. Banners recording consent that never gates anything; 'legitimate interest' invoked without the balancing test on paper; rights handled as favors instead of clocked obligations; processor chains without DPAs; transfers riding vibes instead of frameworks; and compliance living in PDFs while enforcement reads the tag manager.

Synonyms & antonyms

Synonyms

GDPRGeneral Data Protection RegulationEU data protection law

Antonyms

CCPA (the California cousin)ePrivacy (the cookie sibling)

Origin & history

The GDPR was adopted in April 2016 and became applicable May 25, 2018 — replacing the 1995 Directive with directly binding regulation, extraterritorial scope, and the fine schedule that made privacy a board topic; it remains the template the world's privacy laws keep copying.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is the GDPR?
The EU's General Data Protection Regulation — applicable since May 25, 2018 — governing personal data with extraterritorial reach, enforceable rights, and fines to 4% of global revenue.
What lawful bases does marketing use under GDPR?
Mostly consent (freely given, specific, informed, unambiguous — no pre-ticked boxes) and legitimate interest (requiring a documented balancing test and honoring objections).
How do GDPR and ePrivacy fit together?
ePrivacy requires consent before storing or reading anything on a device; GDPR defines that consent's quality and governs the processing afterward — the banner answers to both.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where gdpr is a core concern:

Sources

  1. trendsGoogle Trends — "gdpr compliance"