General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the EU’s primary data protection law, in effect since May 25, 2018. It applies to any organization that processes personal data of individuals in the European Economic Area, regardless of where the organization is located. The GDPR establishes principles for lawful processing (including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability), defines six legal bases for processing, and grants extensive rights to data subjects.

The GDPR is enforced by independent Data Protection Authorities (DPAs) in each EU/EEA member state, coordinated by the European Data Protection Board (EDPB). Maximum penalties reach EUR 20 million or 4% of global annual turnover, whichever is higher. The regulation has had a profound global influence, inspiring similar laws in Brazil (LGPD), South Africa (POPIA), and many other jurisdictions. Key compliance requirements include maintaining records of processing, appointing a DPO when required, conducting DPIAs for high-risk processing, implementing data protection by design, and ensuring valid consent mechanisms.