8 Fascinating Facts About GDPR You Probably Didn’t Know
The General Data Protection Regulation (GDPR), enacted by the European Union in 2018, is widely regarded as the most comprehensive and influential data protection law in the world. For Contract Research Organizations (CROs) like Gurus, GDPR is more than just a legal requirement. It serves as a cornerstone for trust, data quality, and collaboration in clinical research.
While exploring the topic, we came across eight lesser-known GDPR facts that we found particularly interesting — insights that showcase the regulation’s complexity, ambition, and sometimes surprising nuances.
1. A 90-Year-Old’s Hometown Could Be Enough to Identify Them
Under GDPR, personal data is any information that can directly or indirectly identify a person. Many people don’t realize how little information it takes to do that. For example, if someone is over 90 years old and you know their hometown, that may already be sufficient to identify them — especially in rural areas or small towns. This means even non-obvious data combinations can fall under GDPR’s scope. The European Data Protection Board (EDPB) has issued guidance emphasizing that rare combinations of demographics can uniquely identify individuals.
Under GDPR, personal data is any information that can directly or indirectly identify a person. Many people don’t realize how little information it takes to do that. For example, if someone is over 90 years old and you know their hometown, that may already be sufficient to identify them — especially in rural areas or small towns. This means even non-obvious data combinations can fall under GDPR’s scope. The European Data Protection Board (EDPB) has issued guidance emphasizing that rare combinations of demographics can uniquely identify individuals.
2. Even Dynamic IP Addresses Count as Personal Data
An IP address may seem harmless, especially when it changes regularly (i.e., dynamic). However, GDPR considers even dynamic IP addresses as personal data if they can be used to identify a user with reasonable effort. In a landmark 2016 case (Breyer v. Germany), the Court of Justice of the European Union ruled that IP addresses, even if not immediately linked to a specific person, become personal data when additional information is available to identify the user.
3. GDPR Doesn’t Apply to the Dead — But Some Countries Still Protect Them
Technically, GDPR protects only the personal data of living individuals. However, certain EU countries have gone a step further. For instance, France allows people to issue instructions on how their data should be handled after death. Italy also provides similar rights. These extensions reflect how modern data laws are beginning to consider digital legacies and the sensitive handling of deceased individuals’ online presence.
4. Consent Must Be as Easy to Withdraw as It Is to Give
GDPR mandates that withdrawing consent should be as easy as giving it. If a website allows users to accept cookies with a single click, it must offer an equally simple method to opt out or withdraw that consent later. This principle is often overlooked by companies that bury opt-out options in multiple menus or complex forms. Yet doing so violates GDPR’s requirement for fairness, transparency, and user control.
5. Meta Was Hit with the Largest GDPR Fine — €1.2 Billion
In 2023, the Irish Data Protection Commission issued the biggest GDPR fine to date: €1.2 billion against Meta Platforms Ireland (Facebook’s parent company). The reason? Unlawful transfers of EU citizens' data to the United States, raising concerns over surveillance and lack of adequate protections. This fine underscored how GDPR isn't just a theoretical framework — it has real, financial teeth when global tech giants fail to comply.
6. GDPR Has Led to Over 1,700 Fines — and Counting
Since GDPR’s enforcement began in 2018, regulators across the EU have issued over 1,700 fines, totaling more than €4 billion in penalties. While large tech companies get the headlines, many fines are actually issued to small and medium-sized businesses for everyday violations like failing to appoint a Data Protection Officer or mishandling user requests. This demonstrates that GDPR applies to everyone — not just the tech giants.
7. The Right to Be Forgotten Is Not Unlimited
GDPR introduced the now-famous “right to be forgotten,” allowing individuals to request the deletion of their personal data. However, this right is not absolute. Companies may legally reject deletion requests if the data is required for legal reasons, public interest, journalism, or scientific research. For example, a newspaper is not obligated to delete an article simply because a person no longer wants their name associated with it. GDPR tries to strike a balance between privacy and the right to information.
8. GDPR Has Influenced Over 150 Countries Worldwide
Perhaps one of GDPR’s most impressive achievements is its global influence. Since its enactment, over 150 countries have either passed or drafted similar laws — from Brazil’s LGPD to India’s new Digital Personal Data Protection Act. Even countries outside the EU look to GDPR as a blueprint for building their own data protection frameworks. This ripple effect has made GDPR not just a European law, but a global benchmark for digital rights.
GDPR is more than just a legal requirement; it’s a comprehensive rethinking of how we define and protect personal data in the digital age. From elderly hometowns being potential identifiers to billion-euro fines for data misuse, GDPR reshapes everything from website design to international law. For Contract Research Organizations, which handle sensitive patient and clinical trial data daily, its principles are especially critical — ensuring not only legal compliance but also the trust of sponsors, regulators, and investigators. These fascinating facts reveal the breadth and depth of the regulation — and why it continues to influence privacy standards around the world.
Credits to:
https://curia.europa.eu/juris/document/document.jsf?text=&docid=184668
https://www.cnil.fr/en/right-deceased-persons-data
https://gdpr-info.eu/art-7-gdpr/
https://www.enforcementtracker.com/
https://gdpr-info.eu/art-17-gdpr/
https://unctad.org/page/data-protection-and-privacy-legislation-worldwide
✅ Father | Founder @ Gurus CRO | Supporting Pharma & Biotech with People at the Core
1mo👍
Business Development / Healthcare Innovation / Public & Digital Health
1moLove this!