What Is GDPR and Why Does It Exist

The General Data Protection Regulation (GDPR) is a European Union law that came into effect on May 25, 2018. It is the most comprehensive data privacy regulation in the world and has fundamentally changed how companies collect, store, and use personal data.

Before GDPR, companies operated under a patchwork of national laws with weak enforcement. They could collect vast amounts of personal data with vague consent, share it freely with third parties, and faced minimal consequences for breaches or misuse. The result was an ecosystem where personal data was treated as a commodity to be harvested and exploited.

GDPR introduced a simple but revolutionary principle: your personal data belongs to you, and organizations that process it have strict obligations regarding how they collect, use, store, and protect it.

The penalties for non-compliance are substantial — up to €20 million or 4% of global annual revenue, whichever is higher. These aren't theoretical: since GDPR took effect, regulators have imposed billions of euros in fines. Meta was fined €1.2 billion for unlawful data transfers to the US. Amazon was fined €746 million. Google has been fined multiple times totaling over €200 million. These enforcement actions demonstrate that GDPR has real teeth.

For users, GDPR provides a set of concrete, enforceable rights. Understanding these rights — and knowing how to exercise them — is like having a user manual for your digital privacy.

Who GDPR Protects

GDPR protects any individual located in the European Economic Area (EEA), regardless of citizenship. If you live in or are visiting an EU/EEA country, GDPR applies to you.

But GDPR's reach extends far beyond Europe:

Global companies must comply. Any company that offers goods or services to people in the EEA, or that monitors the behavior of people in the EEA, must comply with GDPR — regardless of where the company is based. This is why American companies like Google, Meta, and Amazon all comply with GDPR for their European users.

The "Brussels Effect." Because building separate data processing systems for EU and non-EU users is expensive and complex, many companies apply GDPR-level protections globally. Apple's privacy features, Google's data download tools, and Meta's privacy settings are all available worldwide partly because of GDPR compliance requirements.

Other regions have followed. GDPR inspired similar laws worldwide:

• California (CCPA/CPRA): Similar rights for California residents
• Brazil (LGPD): Closely modeled on GDPR
• Canada (CPPA): Proposed modernization of privacy laws
• India (DPDP Act): Digital Personal Data Protection Act
• Many others: China, Japan, South Korea, Australia, and more

Even if you're not in the EU, understanding GDPR helps you understand the privacy rights that are becoming standard globally.

Your Rights Under GDPR

GDPR grants you eight core rights. Here are the ones most relevant to everyday users:

1. Right to be informed. Companies must tell you, in clear language, what data they collect, why, how long they'll keep it, and who they share it with. This is why every website now has a Privacy Policy — GDPR requires that it be readable and honest.

2. Right of access. You can request a complete copy of all personal data a company holds about you. They must provide it within one month, free of charge. This is a powerful way to discover exactly what a company knows about you.

3. Right to rectification. If a company has incorrect personal data about you, you can demand they correct it. They must respond within one month.

4. Right to erasure ("right to be forgotten"). You can request that a company delete all your personal data. There are exceptions (legal obligations, public interest), but for most consumer services, they must comply.

5. Right to restrict processing. You can ask a company to keep your data but stop using it. Useful when disputing accuracy or challenging the legality of processing.

6. Right to data portability. You can request your data in a structured, machine-readable format and transfer it to another service. This prevents vendor lock-in and lets you move between services without losing your data.

7. Right to object. You can object to certain types of data processing, including profiling and direct marketing. When you object to direct marketing, the company must stop immediately — no exceptions.

8. Rights related to automated decision-making. You have the right not to be subject to decisions made solely by automated processing (including profiling) that significantly affect you. You can request human review of automated decisions.

Right to Access Your Data

The right of access (also called a Subject Access Request or SAR) is your most powerful investigative tool. It forces a company to tell you exactly what they know about you.

What you can request:

• All personal data the company holds about you
• The purposes for which it's being processed
• Which third parties it's been shared with
• The source of the data (if they didn't collect it directly from you)
• How long they plan to retain it
• Whether automated decision-making or profiling is involved

What companies typically reveal is eye-opening:

When people exercise their right of access, they're often shocked by the volume and detail of data companies hold:

• Social media platforms may have years of posts, messages, login locations, device fingerprints, advertiser data, facial recognition profiles, and detailed behavioral profiles
• Streaming services track every play, pause, skip, and search — building detailed preference profiles
• Email providers may retain metadata (who you email, when, how often) even for deleted messages
• Shopping platforms maintain purchase history, browsing history, wish lists, and price sensitivity models
• Data brokers compile profiles from hundreds of sources, including public records, loyalty programs, social media, and purchasing data

How to request your data:

Most major companies provide self-service data download tools:

• Google: myaccount.google.com → Data & Privacy → Download your data (Google Takeout)
• Facebook/Meta: Settings → Your Information → Download Your Information
• Apple: privacy.apple.com → Request a Copy of Your Data
• Amazon: Account → Digital Content → Request My Data
• Twitter/X: Settings → Your Account → Download an Archive

For companies without self-service tools, send a written request to their Data Protection Officer (contact details should be in their Privacy Policy).

Right to Deletion (Right to Be Forgotten)

The right to erasure — popularly known as the right to be forgotten — lets you demand that a company delete all your personal data. This is one of the most powerful rights GDPR provides.

When companies must delete your data:

• The data is no longer necessary for the purpose it was collected
• You withdraw the consent you previously gave
• You object to the processing and there's no overriding legitimate interest
• The data was processed unlawfully
• The data must be deleted to comply with a legal obligation

When companies can refuse:

• They have a legal obligation to keep it (tax records, regulatory requirements)
• It's needed for the establishment, exercise, or defense of legal claims
• It's needed for public health purposes
• It serves the public interest for archival, research, or statistical purposes
• It's used to exercise the right of freedom of expression and information

In practice, most consumer service data can be deleted. Social media posts, account data, browsing history, purchase history, and advertising profiles typically don't qualify for any exemption.

How to request deletion:

1. Check if the service has a "Delete Account" option — this usually triggers data deletion
2. If not, submit a deletion request through their privacy settings or contact form
3. As a last resort, email their Data Protection Officer directly
4. Reference GDPR Article 17 specifically in your request
5. The company has one month to respond and comply

Important note: Deletion requests apply to the specific company's data. Copies already shared with third parties should also be addressed — under GDPR, the company must make reasonable efforts to inform third parties of the deletion request.

Right to Data Portability

The right to data portability ensures that you can take your data with you when you leave a service. Instead of losing years of content when switching platforms, you can download your data in a structured, machine-readable format.

This right covers data that:

• You provided to the company (directly or through your use of the service)
• Was processed based on your consent or contract
• Was processed by automated means

Practical examples:

• Moving from one email provider to another: You can export all your emails from Gmail and import them into Proton Mail or another provider
• Switching social media: Download your posts, photos, and connections from Facebook to use on another platform
• Changing fitness tracking apps: Export your workout history, health data, and personal records
• Switching cloud storage: Download all your files in their original formats

File formats: Companies must provide data in a "commonly used, machine-readable format." In practice, this usually means CSV, JSON, XML, or HTML. Some companies provide tools that make the transfer easy; others provide raw data dumps that require technical knowledge to use.

Data portability is a competition-enabling right — it makes it easier to switch services, which incentivizes companies to compete on quality rather than relying on lock-in.

What Cookie Consent Banners Really Mean

Those ubiquitous cookie consent banners that appeared on every website after GDPR deserve explanation, because they're widely misunderstood.

What cookies are involved:

• Essential cookies: Required for the website to function (login sessions, shopping carts, security). These don't require consent.
• Analytics cookies: Track how visitors use the site (page views, time on site, navigation patterns). These require consent.
• Marketing/advertising cookies: Track you across websites to build advertising profiles, serve targeted ads, and measure ad effectiveness. These require consent.

What "Accept All" really means:

When you click "Accept All Cookies," you're typically consenting to:

• Being tracked across the internet by dozens of advertising companies
• Having your browsing behavior profiled for targeted advertising
• Your data being shared with data brokers and advertising networks
• Detailed profiles being built about your interests, demographics, and behavior

What you should do instead:

• Click "Reject All" or "Only Essential" when available — these options exist on most GDPR-compliant banners
• Customize your choices: If forced to choose specifically, reject marketing and advertising cookies while optionally allowing analytics
• Use browser settings: Configure your browser to block third-party cookies by default. Modern browsers like Firefox and Brave do this automatically.
• Use a cookie auto-decline extension: Browser extensions like "I don't care about cookies" (now owned by Avast) or "Consent-O-Matic" automatically reject non-essential cookies

The dark pattern problem: Many sites deliberately make "Accept All" prominent and easy while hiding the reject option behind multiple clicks. This is being addressed — EU regulators have increasingly ruled that consent must be as easy to refuse as to accept. The trend is toward simpler, less manipulative consent interfaces.

How to Exercise Your Rights

Practical steps for taking control of your data:

Start with Google. Google likely holds more data about you than any other single company. Visit myaccount.google.com and explore:

• Data & Privacy: See what data is collected and manage auto-delete settings
• Google Takeout: Download a copy of everything Google has on you
• Activity controls: Turn off Web & App Activity, Location History, YouTube History
• Ad personalization: See your advertising profile and disable personalized ads

Audit your major accounts. For each major platform you use (social media, email, shopping, streaming), check:

• What data they collect (privacy settings page)
• Whether you can download a copy of your data
• Whether you can delete your account and data
• What privacy settings you can tighten

Delete unused accounts. Every account is a potential breach point. Use a service like JustDeleteMe (justdeleteme.xyz) to find the deletion process for services you no longer use.

Submit data deletion requests. For data brokers and companies you've never directly interacted with, submit deletion requests. Services like DeleteMe, Privacy Duck, or Optery can help automate this process across hundreds of data brokers.

File complaints when companies don't comply. If a company ignores your GDPR request or responds inadequately, you can file a complaint with your national Data Protection Authority (DPA). The DPA will investigate and can impose fines. In the UK, it's the ICO (Information Commissioner's Office). Each EU country has its own DPA.

Make privacy management a regular habit. Set a quarterly reminder to review permissions, delete unused accounts, and check for new data breaches. Create strong, unique passwords for each service using our password generator so that a breach of one service doesn't compromise others.

---

GDPR transformed data privacy from a vague aspiration into an enforceable right. You now have the legal power to discover what companies know about you, demand corrections, require deletion, and take your data elsewhere. These rights are only valuable if you exercise them. Start today — download your data from one major platform, and see what they've been collecting. You might be surprised.