General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the EU law governing how personal data is processed. Learn its principles, rights, and what it means for AI.
What the GDPR governs
The GDPR regulates the processing of personal data — any information relating to an identified or identifiable natural person, called the data subject. "Processing" is defined broadly: collection, storage, use, disclosure, combination, and erasure all count. A narrower category of special-category data — including health, biometric, genetic, racial or ethnic origin, political opinions, and sexual orientation — receives heightened protection and may only be processed under specific conditions.
The regulation is built around the relationship between two roles. The controller determines the purposes and means of processing; the processor acts on the controller's behalf and under its instructions. Most accountability obligations fall on the controller, but processors carry direct duties of their own — including security, sub-processor management, and breach notification to the controller.
The core principles
At the heart of the GDPR are a set of principles that every processing activity must satisfy. They are not optional best practices; they are legal requirements against which regulators assess compliance.
- Lawfulness, fairness, and transparency — processing must have a valid legal basis, be fair to the individual, and be clearly explained to them.
- Purpose limitation — data is collected for specified, explicit, and legitimate purposes and not reused in ways incompatible with those purposes.
- Data minimization — only data that is adequate, relevant, and necessary for the stated purpose may be processed.
- Accuracy — personal data must be kept accurate and up to date, with inaccurate data corrected or erased without delay.
- Storage limitation — data is retained only as long as necessary for the purpose, then deleted or anonymized.
- Integrity and confidentiality — appropriate security protects data against unauthorized access, loss, or damage.
- Accountability — the controller must not only comply but be able to demonstrate compliance through records, policies, and evidence.
Accountability is what turns the GDPR from a checklist into an operating discipline: it is not enough to be compliant, an organization must be able to prove it.
Lawful bases for processing
No personal data may be processed without a lawful basis. The GDPR provides six, and a controller must identify the applicable one before processing begins:
- Consent — the individual has given clear, specific, freely given, and revocable agreement.
- Contract — processing is necessary to perform a contract with the individual or to take steps at their request before entering one.
- Legal obligation — processing is required to comply with the law.
- Vital interests — processing is necessary to protect someone's life.
- Public task — processing is necessary to perform a task carried out in the public interest or under official authority.
- Legitimate interests — processing serves the legitimate interests of the controller or a third party, provided those interests are not overridden by the individual's rights and freedoms.
Consent is often assumed to be the default, but for many business activities contract or legitimate interests is the more appropriate and defensible basis. Special-category data requires an additional condition on top of one of these bases.
Data-subject rights
The GDPR gives individuals a set of rights they can exercise against any controller holding their data. Controllers must respond to most requests without undue delay and generally within one month.
- Right of access — to obtain confirmation of processing and a copy of the data held.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure — the "right to be forgotten," to have data deleted in defined circumstances.
- Right to restriction — to limit how data is used while a dispute or check is resolved.
- Right to data portability — to receive their data in a structured, machine-readable format and transmit it elsewhere.
- Right to object — to object to certain processing, including direct marketing.
- Rights related to automated decision-making — under Article 22, individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, subject to specific exceptions.
Controller vs. processor
The controller–processor distinction determines who carries which obligations, and getting it wrong is a common source of compliance failure. The table below summarizes the split.
| Controller | Processor | |
|---|---|---|
| Decides purpose | Yes — determines why and how data is processed | No — acts only on documented controller instructions |
| Primary accountability | Demonstrate compliance with all principles | Comply with security and contractual duties |
| Data-subject requests | Receives and answers requests | Assists the controller in responding |
| Breach notification | Notifies the supervisory authority and individuals | Notifies the controller without undue delay |
| Contract required | Must put a data processing agreement in place | Bound by that agreement and the controller's instructions |
A single processing arrangement can involve multiple controllers or chains of processors and sub-processors, but the GDPR requires each link to be documented and contractually bound.
Accountability, DPIAs, and enforcement
The accountability principle is operationalized through concrete obligations. Controllers must maintain records of processing activities, implement data protection by design and by default, and — where a type of processing is likely to result in a high risk to individuals — carry out a Data Protection Impact Assessment (DPIA) before starting. A DPIA documents the processing, assesses its necessity and proportionality, and identifies measures to mitigate the risks; large-scale profiling and systematic monitoring are typical triggers.
Enforcement sits with national supervisory authorities, which can investigate, order corrective action, and impose administrative fines. The GDPR sets two fine tiers, with the higher tier reaching up to the greater of €20 million or 4% of an organization's total worldwide annual turnover for the preceding financial year. Beyond fines, regulators can ban processing entirely — often a more disruptive outcome than the monetary penalty.
The GDPR and AI
AI systems intensify almost every GDPR obligation. Training data and prompts frequently contain personal data, often gathered for one purpose and reused for model development — a direct tension with purpose limitation and data minimization. When employees paste customer records or contracts into an external AI tool, personal data is disclosed to a third-party processor, frequently without a lawful basis, a data processing agreement, or any record of the transfer.
Three pressure points recur. First, automated decision-making and profiling implicate the Article 22 protections, raising questions of transparency and human oversight whenever AI materially influences decisions about people. Second, transfers to AI vendors — many outside the EEA — require a valid transfer mechanism and processor contract. Third, the accountability principle demands evidence: an organization must be able to show what personal data its AI usage touches, where it went, and under what basis. Treating AI as outside the data protection program is, under the GDPR, not a defensible position.
