General Data Protection Regulation
What it is
EU regulation protecting personal data of individuals in the EU/EEA. Applies extraterritorially — any organization processing EU residents' data is in scope.
Who uses it
Any organization with EU customers, users, or employees — including U.S. SaaS companies.
Why it matters
Fines reach 4% of global annual turnover or €20M, whichever is greater. Data Protection Impact Assessments and data mapping are recurring junior GRC work.
Structure
Consent, contract, legal obligation, vital interests, public task, legitimate interests — every processing activity needs one.
Access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions.
Controller (decides why/how) vs Processor (acts on controller's instructions) — different obligations.
Data Protection Impact Assessment, required for high-risk processing.
Cross-border transfers need a mechanism — SCCs, adequacy decision, BCRs.
Terminology
Beginner explanation
GDPR is about respecting individuals' control over their own personal data. Every processing activity needs a documented reason, and individuals have rights you must honor.
Practical examples
- A SaaS adds a 'Delete my account' flow to satisfy the right to erasure.
- A marketing team's plan to scrape LinkedIn for prospects requires a lawful basis — 'legitimate interests' with a balancing test.
Advanced notes
Post-Schrems II, transfers to the U.S. require either the EU-U.S. Data Privacy Framework certification or SCCs plus a transfer impact assessment.