GDPR governs the processing of personal data of individuals in the EU/EEA, with strong rights for data subjects and accountability obligations for controllers and processors.
Who it affects
- Any organisation processing EU/EEA personal data
- Controllers and processors, regardless of establishment
- Joint-controllers and sub-processors in the data chain
Key obligations
- Lawful basis, purpose limitation and data minimisation
- Records of processing, DPIAs for high-risk processing
- Processor due diligence and SCCs for international transfers
- 72-hour breach notification to supervisory authorities
Penalties
Fines up to €20m or 4% of global annual turnover, whichever is higher.
How RisQo helps
RisQo's Privacy Risk module profiles processor exposure, transfer footprint and breach history so DPO teams can prioritise audits where personal-data risk concentrates.
This explainer is provided for informational purposes only and does not constitute legal advice. Always consult qualified counsel before making compliance decisions.