GDPR is the EU regulation governing the collection, processing, and storage of personal data for individuals within the European Economic Area.
Also known as: GDPR, EU Data Protection
The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union in 2018. It governs how organizations collect, process, store, and transfer personal data of individuals within the European Economic Area (EEA), applying to any organization worldwide that handles such data regardless of where the organization is based.
GDPR establishes six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document which basis applies to each processing activity before collecting data. Consent must be freely given, specific, informed, and unambiguous — pre-checked boxes and bundled consent are explicitly prohibited.
The regulation grants individuals (data subjects) extensive rights over their personal data. The right of access allows individuals to request a copy of all personal data held about them. The right to rectification enables correction of inaccurate data. The right to erasure (the "right to be forgotten") requires deletion of personal data when retention is no longer justified. The right to data portability allows individuals to receive their data in a machine-readable format for transfer to another provider.
Data Protection Impact Assessments (DPIAs) are required for processing activities likely to result in high risk to individuals — such as large-scale profiling, systematic monitoring, or processing of special category data. DPIAs must evaluate the necessity and proportionality of processing, assess risks to individuals, and identify measures to mitigate those risks.
Data breach notification is mandatory under GDPR. Organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach poses a high risk to individuals, those individuals must also be notified directly. This tight timeline requires organizations to have breach detection and response procedures in place before an incident occurs.
GDPR enforcement has been aggressive, with fines exceeding hundreds of millions of euros for individual violations. The regulation allows fines of up to 4% of global annual revenue or 20 million euros, whichever is higher. Beyond headline fines, enforcement actions include processing bans, mandatory audits, and public disclosure — all of which carry significant business impact.
GDPR's extraterritorial scope means that any organization serving EU residents must comply, regardless of where it is headquartered. A US-based SaaS company with European customers must meet GDPR requirements for those customers' data. This has made GDPR the de facto global standard for data protection, influencing legislation in Brazil (LGPD), California (CCPA/CPRA), India (DPDP Act), and dozens of other jurisdictions.
For technology companies, GDPR compliance affects product design, data architecture, and vendor relationships. Privacy by design — building data protection into systems from the outset rather than adding it as an afterthought — is an explicit GDPR requirement.
APIVult's GlobalShield API supports GDPR compliance by automating the detection of personal data across documents and data streams. GlobalShield identifies PII that falls within GDPR's definition of personal data, enabling organizations to catalog what personal data they hold, where it exists, and whether it is adequately protected.
This detection capability supports data subject access requests (finding all data related to an individual), data minimization reviews (identifying unnecessary personal data retention), and breach assessment (determining what personal data was exposed in a security incident).