GDPR
General Data Protection Regulation — EU Regulation (EU) 2016/679
Standard Introduction
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data privacy law that came into effect on May 25, 2018. It governs how organizations collect, use, store, share, and protect personal data of individuals within the EU and European Economic Area (EEA). Despite being an EU regulation, GDPR has extraterritorial reach—any organization worldwide that processes EU residents' personal data must comply. The regulation fundamentally shifted the global approach to data privacy, granting individuals unprecedented control over their personal information and imposing strict accountability requirements on data controllers and processors.
GDPR is built on seven core principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must have a lawful basis for processing (such as consent, contract, legal obligation, or legitimate interest), implement appropriate technical and organizational measures to ensure data security, conduct Data Protection Impact Assessments (DPIAs) for high-risk processing, appoint a Data Protection Officer when required, and report data breaches to supervisory authorities within 72 hours. Non-compliance can result in fines up to €20 million or 4% of global annual turnover, whichever is higher. The regulation also grants individuals rights including access, rectification, erasure (right to be forgotten), data portability, and objection to processing.
Extraterritorial Reach
Applies to any organization worldwide that processes personal data of EU/EEA residents, regardless of where the company is based.
Data Subject Rights
Grants individuals rights to access, rectify, erase, port, and restrict processing of their personal data.
Enforcement & Fines
Supervisory authorities can impose fines up to 4% of global annual turnover or EUR 20 million, whichever is higher.
list_alt Core Principles
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Who Needs to Comply?
Any organization worldwide that collects, processes, or stores personal data of EU/EEA residents — including companies with no physical presence in Europe.
Key Requirements
Lawful Basis for Processing
Organizations must establish a valid legal basis (consent, contract, legal obligation, vital interests, public task, or legitimate interests) before processing any personal data.
Data Protection Impact Assessments
Required for high-risk processing activities. Organizations must assess risks to individuals and implement measures to mitigate them before processing begins.
Breach Notification
Data breaches must be reported to the supervisory authority within 72 hours. Affected individuals must also be notified if the breach poses a high risk.
Data Protection Officer (DPO)
Mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing special category data.
International Data Transfers
Transfers outside the EEA require adequate safeguards such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or adequacy decisions.
Penalties & Enforcement
Fines up to EUR 20 million or 4% of global annual turnover (whichever is higher). Supervisory authorities can also order processing bans and data erasure.