GDPR (General Data Protection Regulation)

The GDPR (Regulation (EU) 2016/679) is an EU regulation for the protection of personal data and privacy of individuals (data subjects) in the EU/EEA. It became enforceable on 25 May 2018 and applies to any organization processing personal data of EU residents, even if the organization is outside the EU.

GDPR is built around a set of principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. It also grants a set of rights to data subjects (such as access, rectification, erasure, portability, objection, and rights concerning automated decision-making). Organizations must implement appropriate technical and organizational measures (encryption, pseudonymization, security, privacy by design) and may need to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing.

Non-compliance can lead to significant penalties—up to 4% of global annual turnover or €20 million, whichever is greater—plus reputational damage. The regulation also regulates transfers of personal data outside the EU, requiring adequate safeguards (e.g. adequacy decisions, standard contractual clauses).

Key points:

• Applies to processing of personal data of EU/EEA residents
• Based on core principles: lawfulness, purpose limitation, minimization, etc.
• Data subject rights: access, correction, erasure, portability, objection
• Requires technical & organizational security measures, DPIAs as needed
• Controllers/processors must document compliance, possibly appoint DPO
• Strict rules on cross-border data transfer and heavy penaltiesm Shape