Definition · Plain-language
GDPR (General Data Protection Regulation)
The GDPR is the EU General Data Protection Regulation, the European Union’s comprehensive data-protection law governing how personal data is processed.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What the GDPR is
The GDPR is Regulation (EU) 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Adopted in April 2016, it became directly applicable across all EU member states on 25 May 2018, replacing the earlier 1995 Data Protection Directive. As a regulation rather than a directive, it applies uniformly without needing separate national transposition, although member states retain some scope to add detail in specific areas such as research.
Scope and the core principles
The GDPR applies to the processing of personal data — any information relating to an identified or identifiable person. It is built on principles set out in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Processing must rest on a lawful basis, and individuals hold rights over their data. The regulation also imposes duties around security, records of processing, breach notification and, for higher-risk processing, data protection impact assessments.
Extraterritorial reach
A defining feature of the GDPR is its extraterritorial reach. It applies not only to organisations established in the EU, but also to those outside it that offer goods or services to people in the EU or EEA, or that monitor their behaviour. This means a research group or company based elsewhere can fall within scope when handling European participants’ data. The UK retained an equivalent regime, the UK GDPR, after leaving the EU, so the framework remains central to cross-border research-data governance.
Key facts
At a glance
- Definition: the EU General Data Protection Regulation governing personal-data processing
- Reference: Regulation (EU) 2016/679
- Applicable from: 25 May 2018 (adopted April 2016)
- Scope: personal data of individuals in the EU/EEA
- Principles: Article 5 — lawfulness, minimisation, accuracy, accountability and more
- Reach: extraterritorial — applies to organisations outside the EU that target or monitor it
Common misconceptions
What people often get wrong
Often heard: The GDPR only applies to organisations based inside the European Union.
Actually: The GDPR also applies to organisations outside the EU that offer goods or services to, or monitor the behaviour of, people in the EU or EEA. Its reach is deliberately extraterritorial, so non-European bodies can fall within scope.
Often heard: The GDPR came into force in 2016 when it was adopted.
Actually: The GDPR was adopted in April 2016 but became applicable on 25 May 2018, after a two-year transition period. Organisations were expected to be compliant by that 2018 date, not on adoption.
Often heard: The GDPR is a directive that each country implements differently.
Actually: The GDPR is a regulation, so it applies directly and largely uniformly across EU member states without separate national transposition, though states may add detail in limited areas such as scientific research.
Going deeper
