Glossary · Frameworks & standards

What is GDPR?

Also known as: General Data Protection Regulation, EU GDPR, Regulation (EU) 2016/679

GDPR is the European Union's General Data Protection Regulation, a comprehensive data-protection law governing how personal data of individuals in the EU and EEA is collected, processed, and protected. It applies to any organization worldwide that targets or monitors EU residents, grants individuals strong rights over their data, and carries significant penalties for violations.

Key takeaways

  • GDPR governs the personal data of individuals in the EU and EEA.
  • It has extraterritorial reach - it applies to organizations anywhere that handle EU residents' data.
  • It is built on principles like lawfulness, data minimization, purpose limitation, and accountability.
  • Individuals gain rights including access, rectification, erasure, and portability.
  • Breaches generally must be reported to a supervisory authority within 72 hours.

What does GDPR require?

GDPR is principle-based. Organizations must process personal data lawfully, fairly, and transparently; collect it for specified purposes; minimize what they collect; keep it accurate; retain it no longer than necessary; and ensure appropriate security. The accountability principle requires them to demonstrate compliance, not merely assert it.

Processing must rest on a lawful basis such as consent, contract, or legitimate interests, and organizations must maintain records of processing activities and conduct a Data Protection Impact Assessment for high-risk processing - a discipline closely related to a security risk assessment.

What rights does GDPR give individuals?

  • Right to be informed about how data is used.
  • Right of access to one's personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure (the right to be forgotten).
  • Right to restrict or object to processing.
  • Right to data portability.

Organizations must be able to respond to these requests within defined timeframes, which requires knowing exactly where personal data lives across their systems and vendors.

How do you operationalize GDPR?

Operational GDPR means mapping data flows, maintaining a lawful basis for each processing activity, securing data with appropriate technical and organizational measures, managing processors through contracts, and handling breaches under the 72-hour notification duty. Strong information security underpins all of it, which is why many organizations align with ISO 27001 and ISO 27701 for privacy.

CATAAM supports the security side of GDPR by keeping technical and organizational measures under continuous control monitoring, so the safeguards protecting personal data are verified continuously rather than assumed.

Frequently asked questions

Does GDPR apply to companies outside the EU?
Yes. GDPR has extraterritorial reach. It applies to any organization, wherever located, that offers goods or services to or monitors the behavior of individuals in the EU or EEA.
How quickly must a breach be reported under GDPR?
A personal data breach must generally be reported to the relevant supervisory authority within 72 hours of becoming aware of it, unless it is unlikely to result in risk to individuals.
What is the difference between a data controller and a data processor?
A controller decides why and how personal data is processed, while a processor handles data on the controller's behalf. Both have obligations under GDPR, governed by a data processing agreement.
Is GDPR a certification?
No. GDPR is a law, not a certification. Approved certification mechanisms exist to help demonstrate compliance, but there is no single official GDPR certificate.

Authoritative sources

← Back to the glossary