GDPR (General Data Protection Regulation)

The European Union's comprehensive data protection law that took effect in May 2018, replacing the 1995 Data Protection Directive. GDPR establishes a unified privacy framework across the EU and EEA, applying to any organization processing personal data of EU residents, regardless of where the organization is located. The regulation sets strict requirements including lawful basis for all processing, comprehensive individual rights, mandatory data protection impact assessments for high-risk processing, breach notification obligations, significant penalties up to €20 million or 4% of global revenue, and accountability requirements. GDPR introduced concepts like privacy by design and default, expanded data subject rights, created the one-stop-shop mechanism for cross-border processing, and significantly increased enforcement. GDPR has become the global gold standard for privacy regulation, influencing laws worldwide. Its extraterritorial reach means many non-EU organizations must comply.