Skip to content
Friday, July 3, 2026
PQR News Independent news, clearly explained · pqrnews.com · also pqrnews com / PQRNews
Issue №33
Friday, July 3, 2026 · Global Edition
Subscribe
Independent· Source-cited· Premium editorial standard· 8-editor team· pqrnews.com
Latest What NATO’s Article 5 Means, and Its Limits
Technology EXPLAINER

What the GDPR Actually Requires, in Plain Terms

Europe's data-protection law reshaped how the internet handles personal information far beyond the EU's borders. Behind the cookie pop-ups is a set of principles worth understanding on their own terms.

What the GDPR Actually Requires, in Plain Terms
Illustration: PQR News
𝕏 in f

For most people, Europe’s data-protection law is invisible until it is annoying — the cookie banner demanding a click, the privacy notice nobody reads, the email asking whether you still want to hear from a company. Those are the surface ripples of the General Data Protection Regulation, and judging the law by them is like judging a building by its doorbell. Underneath sits one of the most consequential attempts anywhere to set rules for how personal information is handled.

The regulation, universally shortened to GDPR, has shaped the modern internet well past the borders of the European Union. Understanding what it actually asks — as opposed to the pop-ups it is blamed for — is worthwhile for anyone interested in internet policy and the balance it tries to strike between data-driven business and individual privacy.

What the law is, and who it covers

The GDPR is a regulation of the European Union that took effect in 2018, setting a single, binding framework for the protection of personal data across the bloc. “Personal data” is defined broadly: any information relating to an identified or identifiable person, from an obvious name or identification number to an online identifier that can be linked back to someone.

Its most striking feature is reach. The law applies not only to organisations established in the EU but to any organisation, anywhere in the world, that processes the personal data of people in the EU in order to offer them goods or services or to monitor their behaviour. A company on another continent with European users falls within its scope. That extraterritorial design is a large part of why the GDPR became a global standard rather than a regional one, a point the European Commission makes explicit in its guidance.

The principles underneath

Beneath the detail, the GDPR is built on a handful of principles that organisations must follow whenever they handle personal data. They are more illuminating than any list of obligations, because everything else flows from them.

The first is that processing must have a lawful basis. An organisation cannot simply do as it likes with data; it needs a valid legal ground — such as the person’s consent, the necessity of performing a contract, or a legitimate interest that does not override the individual’s rights. Consent, when relied upon, must be freely given and specific, which is the reason those cookie choices exist at all. A second principle is purpose limitation: data collected for one stated reason should not be quietly repurposed for another. A third is data minimisation — collecting only what is genuinely needed rather than hoarding information because it might prove useful. Alongside these sit duties of accuracy, storage limitation, and security. Taken together, as the European Data Protection Board stresses, they shift the default from “collect everything” toward deliberate, justified handling. These ideas increasingly shape how the wider consumer technology world designs its products.

The rights it gives people

The other half of the GDPR turns principles into personal rights that individuals can exercise over their own data. These are what give the law teeth for ordinary people, rather than leaving it a matter between companies and regulators.

They include the right to be informed about how one’s data is used; the right of access, to obtain a copy of the data an organisation holds about you; the right to rectification of inaccurate data; and the right to erasure — the so-called “right to be forgotten” — in defined circumstances. There are also rights to restrict or object to certain processing, and to data portability, allowing people to move their data between services. None of these rights is absolute; each has conditions and exceptions. But collectively they represent a deliberate rebalancing, handing individuals levers over information that previously rested almost entirely with the organisations collecting it. The UK Information Commissioner’s Office maintains detailed public guidance on how these rights work in practice, since the UK retained an equivalent framework after leaving the EU.

Why its influence spread

The GDPR’s significance lies less in any single provision than in how far its model has travelled. Faced with the cost of running different systems for different regions, many global companies chose to apply GDPR-style protections to all their users, exporting the standard by default. And a number of governments beyond Europe have since enacted broadly similar data-protection laws, drawing on the same principles, turning what began as a regional rule into a recurring subject of policy debate worldwide.

That diffusion is not universal, and genuine debate surrounds the regulation. Supporters credit it with giving individuals meaningful control and forcing overdue discipline on careless data practices. Critics argue that its compliance burden falls hardest on smaller organisations and that some of its visible effects, the endless consent prompts among them, produce fatigue more than real protection. Bodies such as the OECD have long worked on international principles for handling personal data across borders, and the GDPR is now a central reference point in those discussions. Whatever one makes of the trade-offs, the law set the terms of a global conversation about privacy that shows no sign of closing — and knowing what it actually requires is the price of taking part. Our approach to explaining policy plainly is set out on our about page.

Sources

Samuel Reyes

Technology Editor

Samuel Reyes is the Technology Editor at PQR News, overseeing coverage of artificial intelligence, consumer technology, cybersecurity, and the policy debates that shape how technology is built and governed. His desk is built around a simple aim: to explain how the systems… More from this editor →

Related from Technology

Get PQR News in your inbox

Daily premium coverage, free. Independent · Source-cited.