Get privacy insights in your inbox.

European Union

GDPR

General Data Protection Regulation

The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.

Source: IQWorks — iqworks.ai | Last updated: 2026-03-20

Effective

May 25, 2018

Jurisdiction

European Union

Max Penalty

EUR 20 million or 4% of worldwide annual revenue, whichever is higher

Enforced By

Data Protection Authorities (DPAs) in each EU member state

Who Does GDPR Apply To?

Any organization processing personal data of individuals located in the EU, regardless of where the organization is based.

Key Requirements

Lawful Basis

Every processing activity must have one of six lawful bases: consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interest.

Data Protection Officer

Required for public authorities and organizations whose core activities involve large-scale systematic monitoring or processing of special categories of data.

Breach Notification

Organizations must notify the supervisory authority within 72 hours of becoming aware of a personal data breach. Data subjects must be notified if the breach poses a high risk.

Privacy by Design

Data protection must be integrated into processing activities and business practices from the design stage.

Data Protection Impact Assessment

Required before processing that is likely to result in a high risk to individuals, including profiling, large-scale processing of special data, and systematic monitoring of public areas.

Cross-Border Transfers

Personal data can only be transferred outside the EEA to countries with adequate protection, or with appropriate safeguards such as Standard Contractual Clauses or Binding Corporate Rules.

Individual Rights Under GDPR

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure (right to be forgotten)
Right to restriction of processing
Right to data portability
Right to object to processing
Right not to be subject to automated decision-making

Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.

What are the penalties for GDPR non-compliance?

The maximum penalty under GDPR is EUR 20 million or 4% of worldwide annual revenue, whichever is higher. Enforcement is handled by Data Protection Authorities (DPAs) in each EU member state.

Who does GDPR apply to?

Any organization processing personal data of individuals located in the EU, regardless of where the organization is based.

When did GDPR take effect?

General Data Protection Regulation was enacted in 2016 and became effective on May 25, 2018.

Compare GDPR

DPDPA vs GDPR: A Comprehensive ComparisonGDPR vs CCPA: Understanding the Key DifferencesLGPD vs GDPR: Brazil and EU Privacy Regulations ComparedPIPEDA vs GDPR: Canada and EU Privacy Laws Compared

Compliance Guides

GDPR Compliance for Indian CompaniesGDPR Key Articles Explained

Related Regulations

DPDPA

India

CCPA/CPRA

California, United States

LGPD

Brazil

PIPEDA

Canada

See also: GDPR (General Data Protection Regulation) in the glossary

Automate GDPR Compliance

IQWorks helps organizations achieve and maintain GDPR compliance with AI-powered automation.

Request Demo