General Data Protection Regulation
jee-dee-pee-ARE
The European Union regulation that governs how companies collect, store, and process personal data of EU residents.
GDPR is the EU's data protection law. It went into effect in May 2018 and changed how every company that touches European user data operates. If you have even one customer in the EU, GDPR applies to you.
The regulation gives individuals rights over their data: the right to access it, correct it, delete it, and port it to another service. Companies must have a legal basis for processing personal data, document their data flows, and report breaches within 72 hours.
Fines are real. Amazon got hit with a 746 million euro fine. Meta received 1.2 billion euros. Even smaller companies face penalties. The practical impact for SaaS companies is significant: you need cookie consent banners, data processing agreements with vendors, and clear documentation of what data you collect and why. Standard contractual clauses handle cross-border data transfers. Data residency requirements may also apply.
Examples
A SaaS company receives a data subject access request.
A user in Germany emails asking for all data the company holds on them. Under GDPR, the company has 30 days to compile and deliver a complete export of that user's data.
A startup adds a cookie consent banner.
Before GDPR, the site tracked every visitor automatically. Now it shows a consent banner that lets users opt in or out of analytics, marketing, and functional cookies separately.
An engineering team designs a new feature.
The feature collects user location data. The PM checks with legal first. They add a privacy impact assessment, update the privacy policy, and ensure the data can be deleted on request.
Frequently asked questions
Does GDPR apply to companies outside the EU?
Yes. If you process personal data of anyone in the EU, GDPR applies to you regardless of where your company is based. A startup in San Francisco with one EU customer must comply.
What is the maximum GDPR fine?
Up to 20 million euros or 4% of annual global turnover, whichever is higher. For large companies, the percentage-based fine is usually the bigger number.
Related terms
A legal document that explains what personal data a company collects, how it uses that data, and how it protects it.
California's privacy law that gives residents the right to know what personal data is collected, request deletion, and opt out of data sales.
A contract between a data controller and data processor that defines how personal data will be handled, required under GDPR.
The requirement that data be stored and processed within specific geographic boundaries, often mandated by local laws or regulations.
EU-approved contract templates that allow the lawful transfer of personal data from the EU to countries without equivalent data protection laws.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.