Back to glossary


The General Data Protection Regulation (GDPR) is EU legislation that came into effect on May 25, 2018. It has wide-reaching implications for data protection and security. GDPR applies to any organization that operates in the European Union (EU), but also to organizations that offer goods or services to EU residents – regardless of where these organizations are located.

Under the GDPR, organizations require explicit consent in order to collect, use, or process personal data. They also need a lawful basis for processing the data – such as a contract with the individual or a legitimate interest in processing the data. This gives EU residents much more control over personal data, or data that can be used to identify them.

Other protections established or strengthened in the GDPR include:

  • Strict rules on data security and data breaches
  • An individual's right to access and control their personal data 
  • A right to request that personal data be erased (e.g. the "right to be forgotten")
  • A right to data portability – i.e., to request and receive a readable copy of your personal data

A violation of the GDPR can cost an organization: fines can be up to 4% of its annual global revenue, or €20 million – the greater of the two.

While the GDPR does not specifically mention cloud storage, it does apply when a company is processing personal data in the cloud. Organizations must ensure that they comply with the GDPR's requirements when using cloud storage to store personal data of individuals within the EU. 

The GDPR has had a significant impact on how organizations handle personal data and has set a new global standard for data protection laws.