Skip to content
SECURITY · PRIVACY · 7 min read · Updated 2026-06-02

What is GDPR?

Europe's data-protection law in plain English — and why a networking site cares about it.

By the Check.Systems team

TL;DR
GDPR is the EU's data-protection law, in force since 25 May 2018. It governs how anyone — anywhere — handles the personal data of people in the EU, gives those people real rights over their data, and backs it with fines up to 4% of global turnover. For networking, two things matter: your IP address can count as personal data, and GDPR is why WHOIS records went quiet.

What GDPR is

Think of GDPR like a bill of rights for your personal data. Before it, companies largely set their own rules about what they collected and did with information about you. GDPR flipped the default: your data is yours, organizations are merely borrowing it, and they have to justify and account for every use.

Formally, it's the General Data Protection Regulation — Regulation (EU) 2016/679 — adopted in 2016 and enforced from 25 May 2018. It replaced a patchwork of older national laws with one strong, consistent standard across the EU and EEA.

Who it actually applies to

This is the part that surprises people: GDPR is not just an EU-company law. It follows the person, not the business. If you process the personal data of people who are in the EU — by offering them goods or services, or by monitoring their behaviour — GDPR can apply to you no matter where in the world your company sits.

That extraterritorial reach is why a small shop in another country still ends up with a cookie banner and a privacy policy written for Brussels. The internet doesn't stop at borders, so neither does the rule.

The principles and your rights

GDPR rests on a handful of principles — data should be handled lawfully and transparently, collected for a specific purpose, kept to the minimum needed, accurate, not hoarded forever, and kept secure. And every use needs a lawful basis: consent, a contract, a legal obligation, vital interests, a public task, or "legitimate interests."

For you as a person, the practical payoff is a set of rights you can exercise:

  • Access — ask what data an organization holds about you.
  • Rectification — have wrong data corrected.
  • Erasure — the "right to be forgotten," within limits.
  • Portability — get your data in a form you can take elsewhere.
  • Object — to certain processing, including direct marketing.

Is an IP address personal data?

Here's where it gets relevant to a network-diagnostics site. People assume an IP address is "just a number" — but under GDPR, it can absolutely be personal data.

The key ruling is the European Court of Justice's Breyer case (C-582/14, 2016). The court found that even a dynamic IP address — one that changes — is personal data in the hands of someone who has a realistic legal route to combine it with other information to identify the person (for example, by asking the ISP). It's a context-dependent test, not a blanket "every IP is always personal data" rule — but the safe, modern reading is clear: treat IP addresses as personal data unless you have a good reason not to.

Why this matters for you
It's also a useful reality check on privacy. Your IP reveals less than movies suggest, but it isn't "anonymous" either — it's an identifier the law takes seriously. We dig into what your IP actually exposes in IP address privacy.

Why GDPR redacted WHOIS

For decades, a WHOIS lookup on any domain returned the registrant's name, email, phone, and postal address — published openly to anyone, spammers included. GDPR made that default untenable: publishing personal contact details to the world, with no lawful basis, is exactly what the regulation forbids.

So in 2018, ICANN issued a "Temporary Specification" that pushed most personal fields behind "Redacted for Privacy." The data is still collected — it's just no longer broadcast publicly. That same pressure helped drive the move to RDAP, whose tiered access can show public facts to everyone while reserving personal details for authorized requesters. GDPR didn't just touch privacy policy pages; it reshaped the plumbing of the domain system.

The fines that give it teeth

GDPR has bite because the penalties are tied to global revenue, not a flat fee. There are two tiers:

  • Lower: up to €10 million or 2% of worldwide annual turnover — whichever is higher.
  • Upper: up to €20 million or 4% of worldwide annual turnover — whichever is higher.

Those "whichever is higher" clauses are the point: for a global company, the percentage dwarfs the flat cap. The record so far is a €1.2 billion fine against Meta in 2023 over unlawful EU-to-US data transfers — a number that explains why even the largest firms rebuilt their data practices around this law.

GDPR's relatives

GDPR didn't stay contained. After Brexit, the UK kept a near-identical version as "UK GDPR." And it inspired a wave of laws elsewhere — most notably California's CCPA/CPRA, the most-cited US analog. A fair caution, though: CCPA is not a GDPR clone. It leans on an opt-out, consumer-rights model rather than GDPR's "you need a lawful basis for everything" approach. Same spirit, different machinery.

The throughline: GDPR reframed personal data as something you have rights over and organizations must account for — and because the internet ignores borders, its reach (and its definition of "personal," right down to your IP address) quietly shapes services far beyond Europe. None of this is legal advice — but knowing the shape of the rules makes the privacy choices you do control a lot clearer.

Related reading: IP address privacy · What is WHOIS? · What is RDAP? · VPN vs Proxy vs Tor

References: Full text of the GDPR (gdpr-info.eu) · CJEU — Breyer, C-582/14 (IP addresses) · GDPR fines & penalties