100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

GDPR

BeginnerConcept4.5K learners

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, process, store, and protect the personal data of individuals in the EU, granting those individuals specific rights over their own…

Definition

The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, process, store, and protect the personal data of individuals in the EU, granting those individuals specific rights over their own data.

Overview

GDPR took effect in May 2018 and applies to any organization that processes personal data of people located in the EU, regardless of where the organization itself is based, which gives it broad global reach. It defines personal data expansively — names, email addresses, IP addresses, and even online identifiers can qualify — and requires organizations to have a lawful basis for processing it, such as consent, contractual necessity, or legitimate interest. The regulation grants individuals rights including access to their data, correction, erasure ("the right to be forgotten"), data portability, and the ability to object to certain processing, such as targeted advertising. Organizations must implement appropriate technical and organizational measures — including encryption at rest and encryption in transit — report qualifying data breaches to regulators within 72 hours, and, in many cases, appoint a Data Protection Officer. Non-compliance carries some of the steepest penalties in data protection law, up to 4% of global annual revenue or €20 million, whichever is higher. GDPR compliance considerations — consent management, data minimization, breach response — are covered alongside other regulatory frameworks in Governance, Compliance & Career Readiness.

Key Concepts

  • EU regulation governing personal data collection, processing, and storage
  • Applies globally to any organization processing EU residents' data
  • Broad definition of personal data, including online identifiers
  • Grants individual rights: access, correction, erasure, portability, objection
  • Requires reporting qualifying breaches to regulators within 72 hours
  • Penalties up to 4% of global annual revenue or €20 million

Use Cases

Global companies building consent management flows for EU users
Data breach response teams meeting the 72-hour regulatory notification window
Privacy-by-design architecture decisions during product development
Handling data subject access and erasure requests
Vendor contracts requiring data processing agreements (DPAs)

Frequently Asked Questions