Governance, Risk & CompliancePrivacy & Data Protection

GDPR

Overview

Direct Answer

The General Data Protection Regulation is EU legislation that establishes comprehensive rules for the collection, processing, and storage of personal data belonging to residents of EU member states and the EEA. It grants individuals enforceable rights over their data and imposes legal obligations on organisations that handle such information.

How It Works

The regulation operates through a consent and lawful basis framework requiring organisations to document processing activities, conduct data protection impact assessments, and implement privacy-by-design principles. It establishes roles including data controllers (who determine processing purposes) and processors (who handle data on behalf of controllers), with documented contracts mandating specific safeguards and breach notification protocols within 72 hours of discovery.

Why It Matters

Non-compliance carries fines up to €20 million or 4% of global annual turnover, creating substantial financial and reputational risk. Organisations operating across borders or handling EU resident data must embed compliance into operations, affecting data architecture, consent management, and vendor selection decisions.

Common Applications

Manufacturing firms collecting employee data, e-commerce platforms processing customer information, cloud service providers handling EU resident records, and financial institutions managing customer databases all fall under its scope. Healthcare organisations and marketing agencies managing personal data are particularly heavily regulated.

Key Considerations

The regulation applies extraterritorially to non-EU organisations processing EU resident data, creating compliance obligations regardless of organisational location. Balancing legitimate business interests with individual rights requires ongoing legal interpretation, as enforcement approaches vary across member state authorities.

Referenced By1 term mentions GDPR

Other entries in the wiki whose definition references GDPR — useful for understanding how this concept connects across Governance, Risk & Compliance and adjacent domains.

Data Protection Impact Assessment·Governance, Risk & Compliance

More in Governance, Risk & Compliance

Ethical AI Framework

Governance

A set of principles, guidelines, and processes that an organisation adopts to ensure its AI systems are developed and deployed in a manner that is fair, transparent, and accountable.

Regulatory Sandbox

Compliance & Regulation

A controlled environment where businesses can test innovative products and services under regulatory oversight.

COBIT

Governance

Control Objectives for Information and Related Technologies — a framework for IT governance and management.

Model Risk Management

Governance

The governance framework for identifying, measuring, and mitigating risks arising from AI and analytical models.

Responsible AI

Governance

The practice of designing, developing, and deploying AI systems with good intention and ethical principles.

Audit Trail

Security Governance

A chronological record of system activities enabling the reconstruction and examination of a sequence of events.

Data Sovereignty

Governance

The concept that data is subject to the laws and governance structures of the country where it is collected or processed.

Digital Operational Resilience

Governance

An organisation's ability to build, assure, and review its technological integrity to ensure it can withstand all types of ICT-related disruptions and threats.