GDPR, which stands for General Data Protection Regulation, is a landmark regulation in the EU on data protection and privacy. This regulation, which came into effect on May 25, 2018, establishes regulations for organizations regarding the collection, storage, use, and sharing of a person's (called data subject) personal data (identified or identifiable data) when the personal data relate to the individual within the European Economic Area (EEA). The GDPR regulation is also subject to the regulations of any company which operates outside the EEA that processes a EU resident's personal data. In many ways, it is considered the most comprehensive privacy regulation in the world and has influenced similarly related laws around the globe.

GDPR was created to:

• Provide greater control to EU citizen's data.
• Provide a consistent level of data privacy and data protection across all member states.
• Improve trust and security in the digital economic framework.
• Hold organizations accountable to responsibility for the misuse or misrepresentation of personal data.

GDPR defines personal data as any information that can identify a person directly or indirectly. Examples of personal data include:

• Names, addresses, telephone numbers
• Email addresses, IP addresses
• Location data (GPS)
• Biometric data (e.g., fingerprints, facial recognition)
• Health data
• Data based on behavior and preferences (e.g., collected through cookies or tracking)

Any organization, even if they are located outside of the EU, must comply with GDPR rules when they are:

• Offering goods or services to individuals in the EU.
• Monitoring the behaviour of individuals in the EU (e.g., tracking analytics, etc.)

This includes but is not limited to:

• Businesses within the EU
• Companies using advertisement efforts to target EU users
• Cloud service providers
• SaaS platforms
• E-commerce businesses

GDPR provides individuals with certain rights related to their personal data:

• Right of Access – To know what data is being held and how it is being used.
• Right to Rectification – To request amendments (corrections) to data that is inaccurate.
• Right to Erasure (The right to be forgotten) – To request deletion of your data.
• Right to Restrict Processing – To temporarily pause use of your data.
• Right to Data Portability – To transfer personal data - from one service to another.
• Right to Object – To object to processing – for example, marketing.
• Rights in relation to Automated Decision Making – Individuals may contest automated decisions/profiling.

Organizations breaching GDPR face severe penalties – including fines of:

• Up to €20,000,000
• Or
• 4% of total annual global turnover

Whichever is greater. For example:

• British Airways - fined €22 million as a consequence of data breaches in 2018.
• Marriott International - fined €20 million after mismanagement of user data in 2019.

To comply with GDPR, organizations must:

• Get clear consent before use of data.
• Have a plain and clear privacy policy.
• Have a Data Protection Officer (DPO) if required.
• Be secure about data use (security controls, encryption, and/or pseudonymization).
• Establish a lawful basis for processing (for example - consent of data subject, compliance with legal obligation).
• Keep an internal record of processing.
• Notify supervisory authorities of data breach within 72 hours.
• Conduct a Data Protection Impact Assessment (DPIA) for processing that creates a high risk to individuals.