Lesson 302 of 2116
GDPR Basics: The Regulation That Changed Data
Europe's General Data Protection Regulation (2018) reshaped how the world handles personal data. Understanding its core concepts is now essential. In 2023, Italy briefly banned ChatGPT over GDPR concerns.
Lesson map
What this lesson covers
Learning path
The main moves in order
- 1The World's De Facto Privacy Law
- 2GDPR
- 3personal data
- 4data rights
Concept cluster
Terms to connect while reading
Section 1
The World's De Facto Privacy Law
GDPR took effect May 25, 2018, regulating personal data of EU residents regardless of where a company is based. Because few large companies can afford to carve out Europe, GDPR effectively became a global standard. California's CCPA, Brazil's LGPD, and India's DPDP Act are all heavily GDPR-inspired.
The six core principles
- 1Lawfulness, fairness, transparency — you need a lawful basis to process data
- 2Purpose limitation — collect for a specific purpose, do not quietly repurpose
- 3Data minimization — only what you need
- 4Accuracy — keep data correct and up to date
- 5Storage limitation — delete data when no longer needed
- 6Integrity and confidentiality — secure the data
What counts as personal data?
Individual rights
- Right to access — see what data is held about you
- Right to rectification — correct wrong data
- Right to erasure (right to be forgotten) — delete your data
- Right to data portability — get your data in a portable format
- Right to object to processing (including automated decision-making)
- Right to withdraw consent
GDPR and AI training
A person can theoretically request deletion of their data from a trained model. Models, however, do not store individual training examples cleanly, making true deletion hard. In 2023, Italy briefly banned ChatGPT over GDPR concerns. OpenAI responded with data controls and opt-outs. This remains a live legal tension.
Practical compliance steps
- 1Maintain a record of processing activities (Article 30)
- 2Establish a lawful basis before collecting data
- 3Write clear privacy notices
- 4Implement processes for data-subject rights requests
- 5Conduct a Data Protection Impact Assessment (DPIA) for high-risk use
- 6Report breaches within 72 hours
Key terms in this lesson
The big idea: GDPR made privacy a user right rather than a corporate favor. AI builders must design with these rights from the start, not bolt them on later.
End-of-lesson quiz
Check what stuck
15 questions · Score saves to your progress.
Tutor
Curious about “GDPR Basics: The Regulation That Changed Data”?
Ask anything about this lesson. I’ll answer using just what you’re reading — short, friendly, grounded.
Progress saved locally in this browser. Sign in to sync across devices.
Related lessons
Keep going
Creators · 30 min
Debate Prep: Researching Both Sides Fast
Debate rewards knowing the other side's best argument better than they do. AI is built for exactly this kind of fast, balanced research.
Creators · 35 min
Running a Literature Review With AI
AI turns weeks of literature review into days — if you know how to use it. Here is a workflow that actually works.
Creators · 30 min
Citing AI-Assisted Work Honestly
The norms for disclosing AI use in research are still being written. Here is the emerging consensus and how to stay on the right side of it.