TLDR:
The General Data Protection Regulation (GDPR) is the European Union’s comprehensive privacy law, in force since May 2018, giving individuals strong rights over their personal data and imposing significant obligations on organizations.
Core GDPR Requirements
GDPR obligations include: legal basis for processing (consent, contract, legitimate interests, etc.), transparency through privacy notices, data minimization, purpose limitation, accuracy, storage limitation, security, accountability, breach notification within 72 hours, Data Protection Impact Assessments for high-risk processing, and Data Protection Officers in certain cases. Individual rights include access, rectification, erasure, restriction, portability, and objection.
Extraterritorial Reach
GDPR applies to any organization processing EU residents’ data regardless of location, including US startups serving European customers. Non-EU controllers must typically appoint EU representatives. The UK has parallel UK GDPR after Brexit. International data transfers face heightened scrutiny following the Schrems II decision invalidating Privacy Shield — new EU-US Data Privacy Framework provides some certainty but faces ongoing legal challenges.
Penalties and Enforcement
GDPR fines can reach 4% of global annual revenue or €20 million, whichever is higher. Major fines have hit Amazon (€746M), Meta (€405M+, €1.2B for transfers), Google (multiple €100M+ fines), and many others. National Data Protection Authorities investigate complaints and conduct audits. Class actions and individual claims add private enforcement on top of regulatory action. Compliance has become a board-level concern globally.