Back to Data Glossary

What is GDPR

The General Data Protection Regulation (GDPR) is an EU-wide law governing how companies collect, store, and process personal data of EU citizens. It enforces strict rules, including the right to access, rectify, and erase personal information.

How It Works

Under GDPR, organizations must gain user consent before collecting personal data, minimize the data they store, and ensure it is protected. If users want their data removed (the “right to be forgotten”) or need an export for data portability, companies must comply. Violations can lead to substantial fines. GDPR requirements often affect database design by mandating data governance, auditing, and secure handling of personally identifiable information.

Technical Details

Implementing GDPR can involve segregating personal data, encrypting sensitive fields, and logging all access or changes. You may also need processes for quick data deletion or anonymization if a user withdraws consent. Audit trails can prove compliance if regulators investigate. Companies should define a clear retention policy—data shouldn’t live in logs or backups longer than necessary.

How to Write It

Basic Syntax

-- Example GDPR compliance considerations:

-- 1. Right to be forgotten (erasing user data)
DELETE FROM users 
WHERE user_id = ?;

DELETE FROM user_preferences
WHERE user_id = ?;

DELETE FROM user_activity_logs
WHERE user_id = ?;

-- 2. Data portability (exporting user data)
SELECT 
  u.user_id,
  u.email,
  u.profile_data,
  p.preferences,
  a.activity_history
FROM users u
LEFT JOIN user_preferences p ON (u.user_id = p.user_id)
LEFT JOIN user_activity_logs a ON (u.user_id = a.user_id)
WHERE u.user_id = ?;

-- 3. Data minimization (masking sensitive data)
CREATE VIEW public_user_data AS
SELECT 
  user_id,
  SUBSTRING(email, 1, 2) || '***@' || 
    SPLIT_PART(email, '@', 2) AS masked_email,
  country
FROM users;

Learn More

Best Practices

  • Identify and label personal data fields, applying encryption or masking where appropriate.
  • Create automated or manual workflows to handle data subject requests (access, deletion).
  • Log all data access to demonstrate accountability and compliance if audited.
  • Regularly review data retention policies to remove unnecessary personal data.

Common Pitfalls

  • Failing to quickly remove or mask personal data in logs or backups when a user withdraws consent.
  • Using broad data collection without explicit scope or consent.
  • Ignoring cross-border considerations, especially if data moves outside the EU.
  • Underestimating the need for continuous monitoring and documentation to maintain compliance.

Advanced Tips

  • Automate compliance tasks (e.g., data scans, encryption checks) with Data Loss Prevention (DLP) tools.
  • Use role-based or attribute-based access controls so only authorized staff see personal data.
  • Integrate a privacy-by-design approach early in the development lifecycle.
  • Consider hashing or tokenizing user IDs to reduce direct exposure of real identities in analytics.

Related Terms

PII

Personally Identifiable Information, data capable of identifying an individual and often regulated by GDPR.

Space, at your fingertips
astronaut

What will you discover?

Get started for free