GDPR
The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, process, store, and protect the personal data of individuals in the EU, granting those individuals specific rights over their own…
Definition
The General Data Protection Regulation (GDPR) is a European Union law that governs how organizations collect, process, store, and protect the personal data of individuals in the EU, granting those individuals specific rights over their own data.
Overview
GDPR took effect in May 2018 and applies to any organization that processes personal data of people located in the EU, regardless of where the organization itself is based, which gives it broad global reach. It defines personal data expansively — names, email addresses, IP addresses, and even online identifiers can qualify — and requires organizations to have a lawful basis for processing it, such as consent, contractual necessity, or legitimate interest. The regulation grants individuals rights including access to their data, correction, erasure ("the right to be forgotten"), data portability, and the ability to object to certain processing, such as targeted advertising. Organizations must implement appropriate technical and organizational measures — including encryption at rest and encryption in transit — report qualifying data breaches to regulators within 72 hours, and, in many cases, appoint a Data Protection Officer. Non-compliance carries some of the steepest penalties in data protection law, up to 4% of global annual revenue or €20 million, whichever is higher. GDPR compliance considerations — consent management, data minimization, breach response — are covered alongside other regulatory frameworks in Governance, Compliance & Career Readiness.
Key Concepts
- EU regulation governing personal data collection, processing, and storage
- Applies globally to any organization processing EU residents' data
- Broad definition of personal data, including online identifiers
- Grants individual rights: access, correction, erasure, portability, objection
- Requires reporting qualifying breaches to regulators within 72 hours
- Penalties up to 4% of global annual revenue or €20 million