What is GDPR (General Data Protection Regulation)?

The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union in 2016 and enforced since May 25, 2018. It is widely considered the most influential data protection law globally, having inspired similar legislation in dozens of countries. The GDPR applies to any organization that processes personal data of individuals located in the EU, regardless of where the organization itself is based.

The GDPR establishes seven key principles for data processing: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. It grants data subjects a comprehensive set of rights including the right of access, right to rectification, right to erasure, right to data portability, right to object, and the right not to be subject to automated decision-making. Organizations must identify a lawful basis for each processing activity from six options: consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interest.

Enforcement is handled by Data Protection Authorities in each EU member state, with fines reaching up to 20 million euros or 4% of worldwide annual revenue, whichever is higher. The GDPR also requires organizations to appoint a Data Protection Officer in certain circumstances, conduct Data Protection Impact Assessments for high-risk processing, and notify authorities of data breaches within 72 hours. IQWorks provides end-to-end GDPR compliance support through ComplyIQ for managing compliance obligations and DiscoverIQ for mapping personal data across the enterprise.