What is the GDPR?
The GDPR, or General Data Protection Regulation, is the European text that came into application in May 2018. It substantially raised the bar for privacy and now serves as a model for many laws around the world, including Quebec's Law 25.
It is not merely a privacy policy: it is an accountability framework that requires organizations to demonstrate, with evidence, how they protect personal data.
Why it matters for your organization
The GDPR applies as soon as an organization processes the data of individuals located in the European Union, regardless of where it is based. Penalties are dissuasive, but the stakes go beyond the fine: a breach exposes you to loss of customer trust and restrictions on data transfers.
The regulation introduces the accountability principle: being compliant is not enough, you must be able to prove it at any time.
The key principles
- Lawfulness, fairness, transparency: process data on a clear and understandable legal basis.
- Purpose limitation: collect only for specified purposes.
- Minimization: process only strictly necessary data.
- Individual rights: access, rectification, erasure, portability, objection.
- Security and notification: protect data and report breaches within 72 hours.
- Transfer safeguards: ensure an adequate level of protection outside the European Union.
Where organizations most often fall short
Common gaps are not in the published policy but in execution: an incomplete record of processing activities, undefined retention periods, processors without a compliant contract, or an inability to answer a rights request within the deadline. The GDPR is won through continuous evidence, not statements of intent.