What is GDPR?
Definition
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union that governs how personal data of EU residents is collected, processed, stored, and transferred. It became enforceable on May 25, 2018, and applies to any organization worldwide that processes EU resident data.
In Depth
GDPR represents a paradigm shift in data protection by establishing that individuals have fundamental rights over their personal data and by placing accountability obligations on data controllers and processors. The regulation introduces key principles including lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must establish a lawful basis for processing (such as consent, contract, or legitimate interest), implement appropriate technical and organizational measures, and be prepared to demonstrate compliance at any time. GDPR is enforced by Data Protection Authorities (DPAs) in each EU member state, with penalties reaching up to 4% of global annual turnover or 20 million euros, whichever is higher. The regulation has inspired similar legislation worldwide, including Brazil's LGPD, California's CCPA, and India's DPDPA.
Related Frameworks
Related Terms
Data Subject Access Request
A Data Subject Access Request (DSAR) is a formal request made by an individual to an organization asking what personal data is held about them, how it is processed, and to whom it has been disclosed. Under GDPR, organizations must respond within 30 days.
Privacy Impact Assessment
A Privacy Impact Assessment (PIA), known as a Data Protection Impact Assessment (DPIA) under GDPR, is a systematic process for evaluating how a proposed project or system will affect individual privacy. It identifies privacy risks and recommends mitigations.
Data Processing Agreement
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that specifies the terms for processing personal data. Under GDPR Article 28, a DPA is mandatory whenever a controller engages a processor.
Breach Notification
Breach notification is the legal requirement for organizations to inform regulatory authorities and affected individuals when a security incident results in unauthorized access to protected data. Notification timelines and requirements vary significantly by framework and jurisdiction.
Privacy Policy
A privacy policy is a public-facing legal document that describes how an organization collects, uses, shares, and protects personal information. It must be transparent, accurate, and compliant with applicable privacy laws in all jurisdictions where the organization operates.
Generate compliance docs with PoliWriter
Stop reading about compliance and start achieving it. PoliWriter generates audit-ready policies customized to your organization in hours.
Get Started Free