GDPR, or General Data Protection Regulation, is a legal framework established by the European Union that governs how organizations collect, store, use, and share personal data belonging to individuals located within the EU and European Economic Area. The regulation came into effect on May 25, 2018, replacing the outdated Data Protection Directive from 1995, and it remains one of the most comprehensive data privacy laws in the world.
The core purpose of the General Data Protection Regulation is to give individuals meaningful control over their own personal data. Under GDPR, a person has the right to know what data an organization holds about them, why it is being processed, and how long it will be retained. They can request access to that data, ask for corrections, or in certain circumstances demand that it be deleted entirely - a provision commonly referred to as the right to erasure or the "right to be forgotten."
For organizations, GDPR introduces a set of binding obligations that apply regardless of where the organization is based. A company headquartered in the United States, Canada, or Australia is still required to comply with GDPR if it processes personal data belonging to EU residents. This extraterritorial scope is one of the defining characteristics of the regulation and explains why it has influenced data privacy legislation far beyond Europe's borders.
GDPR requires that data processing is grounded in a clearly defined legal basis. The most commonly cited basis is consent, meaning the individual has actively and freely agreed to have their data collected for a specific purpose. Other valid legal bases include contractual necessity, compliance with a legal obligation, and the legitimate interests of the data controller, provided those interests do not override the rights of the individual.
Organizations that fall under GDPR must also implement appropriate technical and organizational measures to protect personal data from unauthorized access, accidental loss, or destruction. In the event of a data breach that poses a risk to individuals, the relevant supervisory authority must be notified within 72 hours of the organization becoming aware of the incident.
Non-compliance carries substantial financial consequences. Depending on the nature of the violation, fines can reach up to 20 million euros or four percent of a company's total global annual turnover from the preceding financial year, whichever figure is higher.