Home/Glossary/GDPR

GDPR

The General Data Protection Regulation is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data.

Risk & ComplianceAlso called: "General Data Protection Regulation", "EU data privacy law"

GDPR sets the global standard for data privacy, requiring organizations worldwide to protect EU residents' personal data regardless of where processing occurs.

Why it matters

  • Non-compliance risks fines up to €20M or 4% of global annual revenue.
  • Applies to any organization processing EU residents' data, regardless of location.
  • Data breaches must be reported within 72 hours to authorities.
  • Customers can request data deletion, portability, and access to their information.
  • Privacy violations damage brand reputation and customer trust.

Key requirements

  • Lawful basis: Explicit consent or legitimate interest for data processing.
  • Data minimization: Collect only what's necessary for stated purposes.
  • Privacy by design: Build privacy protections into systems from the start.
  • Data protection officer: Required for large-scale processing operations.
  • Breach notification: 72-hour reporting requirement to supervisory authorities.
  • Subject rights: Access, rectification, erasure, portability, and objection.
  • International transfers: Adequate safeguards for data leaving the EU.

Implementation checklist

  • Conduct data mapping and inventory.
  • Update privacy policies and consent mechanisms.
  • Implement data subject rights procedures.
  • Establish breach notification workflows.
  • Document processing activities and legal basis.
  • Review vendor contracts for data processing agreements.

Related Tools

Related Articles

View all articles
Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Biometric Authentication: Understanding FAR, FRR, and CER for Security Professionals

Master the critical metrics behind biometric authentication systems including False Acceptance Rate (FAR), False Rejection Rate (FRR), and Crossover Error Rate (CER). Learn how to evaluate, tune, and deploy biometric systems across enterprise, consumer, and high-security environments.

Read article →
NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

NIST 800-88 Media Sanitization Complete Guide: Clear, Purge, and Destroy Methods Explained

Master NIST SP 800-88 Rev. 1 media sanitization methods including Clear, Purge, and Destroy. Covers SSD vs HDD sanitization, crypto erase, degaussing, regulatory compliance, and building a media sanitization program.

Read article →
Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Threat Modeling with STRIDE and DREAD: A Complete Guide to Proactive Security Architecture

Master threat modeling with STRIDE and DREAD frameworks to identify, classify, and prioritize security threats before they become vulnerabilities. This comprehensive guide covers data flow diagrams, mitigation mappings, MITRE ATT&CK integration, and building an enterprise threat modeling program.

Read article →
Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compliance Automation Tools Comparison: Vanta, Drata, Secureframe & More

Compare leading compliance automation platforms including Vanta, Drata, Secureframe, Sprinto, and Thoropass. Evaluate features, pricing, integrations, and framework support.

Read article →

Explore More Risk & Compliance

View all terms

Compliance Penalty

Financial fines and sanctions imposed for failing to meet regulatory data protection and security requirements.

Read more →

HIPAA

The Health Insurance Portability and Accountability Act establishes standards for protecting sensitive patient health information in the United States.

Read more →

SOC 2

Service Organization Control 2 is an auditing standard for service providers that store customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.

Read more →
Back to glossary