General Data Protection Regulation (GDPR)

The complete guide to GDPR and compliance can be found at gdpr.eu

GDPR began May 25, 2018, and since then has levied harsh fines against violators of the EU's data privacy legislation. According to website GDPR Enforcement Tracker, the top 10 countries with the highest total fines are:


And the breakdown of violations by industry:


While the US and US companies are not represented on these tables, that's not to say their European offices haven't been fined by the GDPR. Read more about that here. Google (fined $50m by France) and Marriott ($100m fine for its Starwood customer data breach) are the two largest entities to face GDPR fines.

In a nutshell, GDPR covers businesses, government agencies, and other entities:
  • In the European Union (EU);
  • That offer goods or services to anyone in the EU;
  • and collects, stores, transfers, or uses personal information about EU citizens
For individuals, GDPR offers extended protections regarding the use of personal data such as:
  • Right to Access:
    • Obtain confirmation as to whether or not their personal data is being processed, where and for what purpose 
    • Access their personal data
    • Correct errors in their personal data
  • Right to be Forgotten:
    • Erase their personal data
    • Object to having their personal data processed
  • Data Portability:
    • Receive a copy of any personal data stored, and transfer that data to another vendor/controller
GDPR defines personal data as:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (source)