What the regulation covers
The General Data Protection Regulation is the European framework for handling personal data. It contains 99 articles, was adopted in April 2016 and became applicable on 25 May 2018.
The original note also mentioned the United Kingdom's Data Protection Act 2018 and the California Consumer Privacy Act as related privacy frameworks. They are not the same legal instrument, but they show the same practical direction: organizations have to know what personal data they process and why.
GDPR can affect organizations outside the European Union when they offer goods or services to people in the region, monitor their behavior or otherwise process data covered by the regulation.
Personal data and special categories
Personal data is information that can identify a living person directly or indirectly. Names and location data are obvious examples, but IP addresses, cookie identifiers and pseudonymous records can also qualify when they can be connected to an individual.
Special-category data requires stronger care. The original article listed examples such as racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, health data and information about sex life or sexual orientation.
Controllers and processors
A controller decides why and how personal data is processed. A processor handles data on the controller's instructions. The distinction affects contracts, responsibilities, documentation and how each party responds to requests or incidents.
From an engineering point of view, this distinction matters for hosting, analytics, email delivery, backups, customer support tooling and every vendor that receives production data.
Seven core principles
Article 5 groups the main operating principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
These principles are useful as engineering checks. A system should make the data purpose explicit, collect the minimum necessary fields, keep records accurate, retain them only as needed, protect them appropriately and leave evidence that these choices were made deliberately.
Data minimization
Systems should collect only the data needed for a defined purpose and retain it only as long as that purpose requires. For engineering teams, this affects form fields, logs, analytics events, backups and default retention periods.
Minimization reduces both compliance burden and security exposure: information that was never collected cannot be leaked later.
Integrity and confidentiality
Personal data needs appropriate protection against unauthorized access, unlawful processing, accidental loss and destruction. The technical response depends on risk, but commonly includes access control, encryption, secure development, monitoring, tested recovery and timely patching.
The regulation does not prescribe one universal technical stack. It expects the controls to match the nature of the data, the processing context and the likely impact on people.
Accountability
Organizations must be able to demonstrate how they comply. That means documenting purposes, data flows, retention, access, processors, security measures and incident decisions instead of treating privacy as an unwritten assumption.
When a breach creates risk for people, the relevant supervisory authority may need to be notified within 72 hours of the organization becoming aware of it. High-risk breaches can also require communication to the affected people.
In the United Kingdom context discussed by the original article, this means notifying the ICO when the reporting threshold is met.