What is GDPR? A Plain-English Explanation for Website Owners

Since taking effect in May 2018, the General Data Protection Regulation (GDPR) has fundamentally changed how websites collect, store, and use personal data. With fines reaching into the tens of millions of euros and enforcement agencies growing more active every year, understanding GDPR is no longer optional — it's essential for any website with European visitors.

This guide explains what GDPR is, who it applies to, what it requires, and what practical steps you need to take to bring your website into compliance.

What is GDPR?

GDPR was created in response to the explosive growth of digital data collection — from social media platforms and e-commerce sites to analytics tools and advertising networks. The regulation gives European residents meaningful control over their personal data and creates enforceable obligations for any organization that handles that data.

Who Does GDPR Apply To?

This is the question that surprises most website owners outside Europe: GDPR applies to your organization if you collect or process personal data of people located in the EU or EEA — regardless of where your organization is based.

That means a US-based e-commerce store, a Canadian SaaS company, or an Australian blog can all be subject to GDPR if they have EU visitors, customers, or users. The regulation uses what's called the "targeting criterion" — if you actively market to EU residents or monitor their behavior (through analytics, cookies, etc.), GDPR applies.

Key Terms: Controller vs. Processor

GDPR distinguishes between two types of entities:

• Data Controller: The organization that determines why and how personal data is processed. If you run a website that collects user data, you are almost certainly a data controller.
• Data Processor: A third party that processes data on behalf of the controller. Your email marketing provider, analytics platform, or cloud hosting service may be processors.

Controllers have the primary compliance obligations. Processors must operate under a Data Processing Agreement (DPA) and can only process data as instructed by the controller.

The 7 Core Principles of GDPR

GDPR is built on seven foundational principles that govern all personal data processing:

1. Lawfulness, Fairness, and Transparency: You must have a lawful basis for processing, be honest about how data is used, and make that information accessible.
2. Purpose Limitation: Data collected for one purpose cannot be repurposed for something incompatible without obtaining fresh consent.
3. Data Minimization: Collect only the data you actually need. If a name and email are sufficient, don't ask for a phone number and date of birth.
4. Accuracy: Personal data must be kept accurate and up to date. Inaccurate data should be corrected or deleted.
5. Storage Limitation: Data should not be kept longer than necessary for its stated purpose. You need a data retention policy.
6. Integrity and Confidentiality: Data must be protected with appropriate technical and organizational security measures.
7. Accountability: You must be able to demonstrate your compliance — not just claim it.

The 6 Lawful Bases for Processing

Every time you process personal data, you must have a lawful basis. GDPR provides six options:

• Consent: The individual has given clear, specific, informed, and unambiguous consent. Consent must be freely given and easy to withdraw.
• Contract: Processing is necessary to fulfill a contract with the individual (e.g., processing a customer's order).
• Legal Obligation: Processing is required to comply with a law (e.g., retaining financial records for tax purposes).
• Vital Interests: Processing is necessary to protect someone's life or physical safety.
• Public Task: Processing is necessary to perform an official function or task in the public interest.
• Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, unless those interests are overridden by the individual's rights. This is the most commonly used basis for commercial processing.

The 8 Data Subject Rights

GDPR grants EU residents eight enforceable rights over their personal data:

1. Right to be Informed: Individuals have the right to know how their data is being used, in clear and plain language.
2. Right of Access (Subject Access Request): Individuals can request a copy of all personal data you hold about them, typically within 30 days.
3. Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
4. Right to Erasure ("Right to be Forgotten"): Individuals can request deletion of their data under certain circumstances.
5. Right to Restrict Processing: Individuals can ask you to pause processing their data while a dispute is resolved.
6. Right to Data Portability: Individuals can request their data in a machine-readable format to transfer to another service.
7. Right to Object: Individuals can object to processing based on legitimate interests or for direct marketing purposes.
8. Rights Related to Automated Decision-Making: Individuals can request human review of decisions made solely by algorithms that have significant effects on them.

Your website must have a process for handling these requests. Most businesses designate an email address (e.g., [email protected]) and commit to responding within 30 days.

What Your Website Needs to Be GDPR Compliant

1. A GDPR-Compliant Privacy Policy

Your privacy policy must clearly disclose: what data you collect, why you collect it, the lawful basis for each type of processing, how long you retain it, who you share it with, users' rights under GDPR, and your contact information. Vague or generic policies do not satisfy GDPR's transparency requirements.

2. Cookie Consent Mechanism

Non-essential cookies (analytics, advertising, personalization) require explicit consent before they are loaded. A cookie banner that only offers an "Accept" button does not comply — users must be able to decline or customize their preferences.

3. Data Processing Agreements with Third Parties

If you use third-party services that process EU user data (Google Analytics, Mailchimp, Stripe, etc.), you must have a Data Processing Agreement in place with each one. Most major providers offer standard DPAs you can sign through their platforms.

4. A Process for Handling Data Subject Requests

You must be able to fulfill access, deletion, and portability requests within 30 days. This means knowing where user data is stored and having a way to retrieve or delete it.

5. Data Breach Notification Procedure

If you experience a data breach, you must notify your supervising Data Protection Authority within 72 hours if the breach poses a risk to individuals. If the risk is high, you must also notify affected individuals.

GDPR Fines and Enforcement

GDPR enforcement is not theoretical. Since 2018, regulators have issued billions of euros in fines across Europe. The two tiers of penalties are:

• Tier 1: Up to €10 million or 2% of global annual turnover for less serious violations (e.g., failure to maintain records of processing activities).
• Tier 2: Up to €20 million or 4% of global annual turnover for the most serious violations (e.g., processing data without a lawful basis, violating the principles of data protection by design).

Enforcement in 2026 has become increasingly focused on small and medium businesses, not just tech giants. Supervisory authorities across the EU are investigating complaints from individuals more proactively than ever.

Frequently Asked Questions