GDPR

Effective since May 25, 2018, GDPR represents one of the most significant data protection regulations globally. It applies not only to organizations based in the EU but also to any organization worldwide that offers goods or services to, or monitors the behavior of, EU residents. This extraterritorial scope has made GDPR a de facto global standard for data privacy.

GDPR is built on seven key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must demonstrate compliance with these principles and maintain records of their processing activities.

The regulation grants individuals extensive rights over their personal data, including the right to access, rectify, erase (the "right to be forgotten"), restrict processing, data portability, and object to processing. Organizations must respond to data subject requests within one month and provide clear mechanisms for individuals to exercise these rights.

Non-compliance with GDPR can result in substantial penalties. The maximum fine for the most serious violations is 20 million euros or 4% of the organization's annual global turnover, whichever is higher. Organizations are also required to report certain types of data breaches to supervisory authorities within 72 hours and to affected individuals without undue delay when the breach poses a high risk to their rights and freedoms.