GDPR and Data Subject Rights

The General Data Protection Regulation (GDPR) is a European Union privacy law that took effect on May 25, 2018. It governs how organizations collect, store, process, and share personal data belonging to EU residents — regardless of where the organization itself is located. A US company that collects data from EU website visitors must comply with GDPR. Violations carry penalties up to €20 million or 4% of global annual turnover, whichever is higher, making GDPR one of the most consequential privacy regulations globally.

GDPR introduces specific terminology. Personal data is any information relating to an identified or identifiable natural person (data subject). A data controller determines the purposes and means of processing — typically the organization collecting data. A data processor processes data on behalf of the controller (cloud providers, analytics vendors). Processing includes any operation on personal data: collection, storage, modification, transfer, or deletion. Understanding these roles is crucial because GDPR assigns different obligations to controllers versus processors.