GDPR

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law that came into effect on May 25, 2018. It governs how organizations collect, use, store, share, and protect personal data of individuals within the EU and European Economic Area (EEA). Despite being an EU regulation, GDPR has extraterritorial reach—any organization worldwide that processes EU residents' personal data must comply. The regulation fundamentally shifted the global approach to data privacy, granting individuals unprecedented control over their personal information and imposing strict accountability requirements on data controllers and processors.

GDPR is built on seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must have a lawful basis for processing (such as consent, contract, legal obligation, or legitimate interest), implement appropriate technical and organizational measures to ensure data security, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, appoint a Data Protection Officer when required, and report data breaches to supervisory authorities within 72 hours. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. The regulation also grants individuals rights including access, rectification, erasure (right to be forgotten), data portability, and objection to processing.