Back to Glossary
General Data Protection Regulation
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is the EU's privacy regime that took effect May 2018. The principles-based regime requires that data controllers inform users about how data will be collected, analyzed, and for what purpose; use data only for the purposes communicated; limit data only to what is needed for the purpose; ensure data is current and accurate; store data only for as long as needed for the purpose; take security measures in data processing and storage; and demonstrate compliance with GDPR rules. Where data processing is based on consent, GDPR requires that consent be “freely given, specific, informed and unambiguous.” The GDPR also allows data subjects to access and request deletion of their information, among other rights. The regime applies to all EU companies, all companies engaged in the processing of EU personal data, and organizations dealing with EU companies (including foreign companies). Noncompliance with GDPR’s principles can carry sizable penalties – up to €20M or 4% of the company’s global annual turnover.