What Is GDPR?

The General Data Protection Regulation (GDPR) is an EU regulation that came into force on 25 May 2018. It is the world's most comprehensive data privacy law and applies to any organization that processes the personal data of EU residents — regardless of where the organization is based.

Key Rights GDPR Gives You

Right	What It Means
Right of access	Request a copy of all personal data an organization holds about you
Right to rectification	Have inaccurate data corrected
Right to erasure	"Right to be forgotten" — request deletion of your data
Right to portability	Receive your data in a machine-readable format to transfer elsewhere
Right to object	Object to your data being used for direct marketing or profiling
Right to restriction	Limit how your data is processed while a dispute is resolved

Key Obligations for Organizations

Must have a lawful basis to process personal data (consent, contract, legal obligation, etc.)
Must obtain explicit, informed consent — pre-ticked boxes are not valid
Must notify authorities within 72 hours of a data breach
Must appoint a Data Protection Officer (DPO) in certain circumstances
Must conduct privacy impact assessments for high-risk processing

GDPR Fines

Non-compliance can result in fines of up to €20 million or 4% of global annual turnover — whichever is higher. Notable fines include Meta (€1.2 billion in 2023), Amazon (€746 million in 2021), and Google (€50 million in 2019).

Does GDPR Apply Outside the EU?

Yes. GDPR applies to any organization anywhere in the world that offers goods or services to EU residents, or that monitors the behaviour of EU residents. A US company with EU customers must comply with GDPR.

Key Rights GDPR Gives You

Key Obligations for Organizations

GDPR Fines

Does GDPR Apply Outside the EU?

People Also Ask

Related Questions

What Is Personal Data?

What Is a Data Broker?

What Is an Internet Cookie?