Lesson 1: WTF is GDPR?

Welcome to the course! GDPR — the General Data Protection Regulation — is an EU-wide law that governs how personal data is handled. It’s not just for big tech companies or data brokers. If you’re building in Web3 — whether that’s a dApp, smart contract, a frontend, or a node in a permissionless network — the GDPR might apply to you.

The regulation is designed to protect the personal data of individuals in the European Union, no matter where in the world the data is being processed. That means if you’re in Argentina, the U.S., or even fully pseudonymous online, if you’re processing personal data from EU users, GDPR applies.

It’s built around core principles like lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. These aren’t just theoretical — they’re obligations. Ignoring them can lead to massive fines and market access issues.

Throughout this course, we’ll explore how GDPR maps onto decentralised tech. We’ll cover what “personal data” really means (spoiler: your stack is probably full of it), who’s responsible in a decentralised system, and how to make privacy-preserving tech compliant. We’ll also look at the most recent guidance from European regulators and how builders can get involved in shaping the future.

Bonus: Watch “Delete the Chain?” EUCI Live Event Recording (EUCI x James Smith from the Ethereum Foundation) - https://youtu.be/zP0lG2u5Hr0  

Reading: EUCI GDPR Booklet – Introduction & Core Principles