Skip to main contentSkip to main content
    Back to Glossary
    framework
    2 min read

    GDPR

    GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data of EU residents.

    The General Data Protection Regulation is a regulation in EU law on data protection and privacy. It applies to any organization that processes personal data of EU residents, regardless of where the organization is located.

    Key GDPR principles include: - Lawfulness, fairness, transparency: Clear legal basis and transparency - Purpose limitation: Data collected for specified purposes only - Data minimization: Only collect necessary data - Accuracy: Keep data accurate and up to date - Storage limitation: Don't keep data longer than needed - Integrity and confidentiality: Appropriate security measures - Accountability: Demonstrate compliance

    GDPR grants individuals specific rights: - Right to access their data - Right to rectification - Right to erasure ("right to be forgotten") - Right to data portability - Right to object to processing

    Non-compliance can result in fines up to €20 million or 4% of global annual revenue.

    Why It Matters

    GDPR fines have exceeded €4 billion since enforcement began, with penalties reaching 4% of global revenue. Any company serving EU customers—including US-based SaaS companies—must comply. Beyond fines, GDPR non-compliance blocks market access to the EU's 450 million consumers and damages trust with privacy-conscious customers worldwide. Implementing GDPR-aligned data practices is now a competitive advantage in global markets.

    Key Points

    Applies to any organization processing EU resident data
    Grants individuals extensive data rights
    Requires clear consent and legal basis for processing
    Fines up to 4% of global revenue or €20 million
    Requires Data Protection Officer for certain organizations

    Applicable Compliance Frameworks

    GDPR

    Related Terms

    Data Privacy

    Data privacy refers to the proper handling of personal information including how it is collected, used, shared, and protected in compliance with regulations.

    Encryption at Rest

    Encryption at rest protects data stored on disks, databases, or storage systems by converting it to an unreadable format that requires a key to decrypt.

    Related Articles

    SOC 2 vs GDPR

    Frequently Asked Questions

    Does GDPR apply to US companies?

    Yes, if you process personal data of EU residents, GDPR applies regardless of where your company is located.

    What is a Data Protection Officer (DPO)?

    A DPO oversees GDPR compliance. Required for public authorities and organizations processing large amounts of sensitive data.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    SOC 2 Compliance

    Trust services criteria for security, availability, and confidentiality

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with GDPR?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms