Overview
Direct Answer
The General Data Protection Regulation is EU legislation that establishes comprehensive rules for the collection, processing, and storage of personal data belonging to residents of EU member states and the EEA. It grants individuals enforceable rights over their data and imposes legal obligations on organisations that handle such information.
How It Works
The regulation operates through a consent and lawful basis framework requiring organisations to document processing activities, conduct data protection impact assessments, and implement privacy-by-design principles. It establishes roles including data controllers (who determine processing purposes) and processors (who handle data on behalf of controllers), with documented contracts mandating specific safeguards and breach notification protocols within 72 hours of discovery.
Why It Matters
Non-compliance carries fines up to €20 million or 4% of global annual turnover, creating substantial financial and reputational risk. Organisations operating across borders or handling EU resident data must embed compliance into operations, affecting data architecture, consent management, and vendor selection decisions.
Common Applications
Manufacturing firms collecting employee data, e-commerce platforms processing customer information, cloud service providers handling EU resident records, and financial institutions managing customer databases all fall under its scope. Healthcare organisations and marketing agencies managing personal data are particularly heavily regulated.
Key Considerations
The regulation applies extraterritorially to non-EU organisations processing EU resident data, creating compliance obligations regardless of organisational location. Balancing legitimate business interests with individual rights requires ongoing legal interpretation, as enforcement approaches vary across member state authorities.
Referenced By1 term mentions GDPR
Other entries in the wiki whose definition references GDPR — useful for understanding how this concept connects across Governance, Risk & Compliance and adjacent domains.
More in Governance, Risk & Compliance
Business Ethics
GovernanceThe application of ethical principles and moral standards to business activities, decisions, and relationships.
Information Governance
GovernanceThe overarching strategy for managing an organisation's information assets, balancing the need for data availability with security, privacy, compliance, and lifecycle management.
Digital Operational Resilience
GovernanceAn organisation's ability to build, assure, and review its technological integrity to ensure it can withstand all types of ICT-related disruptions and threats.
Data Sovereignty
GovernanceThe concept that data is subject to the laws and governance structures of the country where it is collected or processed.
Responsible AI
GovernanceThe practice of designing, developing, and deploying AI systems with good intention and ethical principles.
AI Risk Management Framework
GovernanceA structured approach to identifying, assessing, and mitigating risks associated with AI systems, as defined by standards such as NIST AI RMF and ISO/IEC 42001.
Vendor Risk Assessment
Risk ManagementEvaluating the potential risks of engaging with a vendor including security, financial, and operational concerns.
Anti-Money Laundering
GovernanceLaws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.