1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

What is GDPR?

Lewis Sanders IV
May 24, 2018

Have you received dozens of emails about updates to your favorite online services' privacy policy? The reason is the EU's data protection law, and it has global implications. DW examines how it might affect you.

A young woman uses a laptop in a cafe
Image: picture-alliance/PhotoAlto/S. Olsson

The General Data Protection Regulation (GDPR) is a law passed by the European Parliament that dictates the collection and processing of data, most notably of individuals within the EU.

It effectively overhauls the bloc's data protection rules. Before it, each member state could decide to what it extent it wanted to implement the EU's directive on data protection. As of May 25, they no longer have a choice on how to implement data protection rules.

What are my rights?

If you're an individual residing in the EU, GDPR guarantees you the right:

  • To access data concerning yourself
  • To erasure — or to be forgotten
  • To be informed how your personal data is used
  • To rectification of inaccurate personal data
  • To restrict processing of personal data
  • To data portability — or to obtain and reuse personal data across services
  • To object to processing of personal data
  • To not be subject to an automated decision, including profiling

Do I have to do anything?

For the most part, the answer is no. However, some entities may seek further permission to continue processing your data and ask for your approval.

<div class="opinary-widget-embed" data-poll="will-the-new-data-protection-rules-chang" data-customer="deutschewelleeng"></div>
<script async type="text/javascript" src="//widgets.opinary.com/embed.js"></script>

Was my data protected beforehand?

In short, yes, but not to the extent that GDPR guarantees. GDPR replaces the EU Data Protection Directive, which went into effect in 1995. As such, GDPR provides a much-needed update to deal with the challenges of today.

What about data breaches?

A "data controller" — companies, organizations and any other entity involved in the digital economy and processing data of EU individuals or within the bloc — must legally inform authorities within 72 hours of a data breach.

They are also responsible for informing you if your private data was compromised. However, they don't have to if there were measures to obfuscate the data, such as encryption.

Read more: Is Big Data really the price we 'have to pay' for advanced research?

Are there areas where my data is not covered by GDPR?

Yes. Your data is not covered when it is used for purposes that include national security, statistical analysis and employment relationships (due to a law already governing such relations), among others.

EU beefs up data protection

03:01

This browser does not support the video element.

Who has to comply?

  • Entities located in the EU.
  • Entities providing goods or services to EU residents.
  • Entities monitoring the behavior of EU residents.

Who ensures compliance?

Data Protection Authorities, which are independent public authorities, are tasked with overseeing and investigation the application of data protection laws in the EU. Each EU member state will have one.

What happens after Brexit?

Prime Minister Theresa May's government has vowed to make GDPR part of British law. The law could technically be changed in the future, although it is unlikely. Even in such cases, British companies and organizations would likely continue adhering to GDPR in order to guarantee unhindered access to EU markets.

Data Mining vs. Data Privacy

04:05

This browser does not support the video element.

Skip next section Explore more
Skip next section DW's Top Story

DW's Top Story

Skip next section More stories from DW