General Data Protection Regulation (GDPR)

Governance (GRC) 📜 • Security+ 🏆 • Difficulty: free

Definition

GDPR is an EU data protection law that sets rules for how organizations collect, use, store, and share personal data. It requires a lawful reason for processing, strong transparency to individuals, and accountability for protecting data and respecting data subject rights.

Examples

A customer submits a request to see what data a company holds about them, and the company must respond through a defined process.
A business updates its privacy notice to clearly explain what personal data it collects, why it collects it, and how long it keeps it.

Discover 🔎

GDPR matters because personal data is everywhere in modern organizations, in customer accounts, employee records, analytics tools, support tickets, and cloud services. GDPR is designed to give individuals clarity and control over how their data is used, while requiring organizations to handle that data responsibly.

It is not only a privacy policy exercise. GDPR influences how systems are built, how incidents are handled, and how suppliers are managed.

Remember: GDPR is based on accountability. You are expected to follow the rules and be able to prove that you follow them.

Open the interactive lesson Browse more topics

Tip: The interactive version includes progress tracking, decks, and premium deep dives.