GDPR is the **General Data Protection Regulation**, an EU-wide data protection law that sets rules for how organisations collect, use, store, and share personal data, and it applies from 25 May 2018. It is designed to strengthen individual rights in the digital age while also harmonising rules so organisations do not face a different privacy regime in every EU country - eur-lex.europa.eu 
- commission.europa.eu
GDPR is built around a small set of “principles” that act like a constitution for data handling, including lawfulness, fairness and transparency, purpose limitation, Data Minimisation, accuracy, storage limitation, security, and accountability.
In practice this means you should be able to explain why you have someone’s data, what you use it for, how long you keep it, and what safeguards you apply - legislation.gov.uk - ico.org.uk
It also defines “lawful bases” for processing data, such as consent, contract necessity, legal obligation, vital interests, public task, and legitimate interests, which pushes organisations to stop treating “we felt like it” as a reason. The point is not that consent is always required, but that the processing must be justifiable under one of the recognised bases - gdpr-info.eu - edpb.europa.eu
For individuals, GDPR is best understood as a bundle of enforceable rights, including rights to be informed, to access data, to correct it, to erase it in certain cases, to restrict or object to processing, and to data portability. It also creates duties around transparency notices and, in many contexts, stronger expectations for handling “special category” sensitive data - commission.europa.eu
GDPR has real enforcement teeth, including the ability for regulators to impose significant administrative fines for serious infringements, up to €20 million or 4% of global annual turnover (whichever is higher), depending on the type and severity of violation. The fine ceilings matter less than the shift in culture: data protection becomes a board-level risk rather than a minor IT footnote - gdpr-info.eu
In the UK, GDPR was retained as “UK GDPR” and sits alongside the Data Protection Act 2018, with broadly similar principles, rights, and obligations, and the ICO as the key regulator. For many organisations the practical experience is “GDPR, but with UK-specific details,” especially around international data transfers and certain exemptions - gov.uk - ico.org.uk
From a deliberative-democracy lens, GDPR is interesting because it quietly encodes the same instinct as Participatory Privacy: collect less, justify what you do, protect people from unnecessary exposure, and treat personal data as something that can create real harm if it leaks or is misused. If you want diverse participation in a polis without turning identity into a confession booth, GDPR’s minimisation and purpose-limitation framing is a useful baseline discipline, even before you add tools like Verifiable Credential and Selective Disclosure.
# See - GDPR Principles and GDPR Rights - Criticisms of the GDPR