Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

GDPR

The GDPR (General Data Protection Regulation) is the European regulation that governs the processing of personal data. It imposes strict principles (lawfulness, minimization, transparency), rights for individuals and penalties of up to 20 million euros or 4% of worldwide turnover.

Updated on July 2, 2026

What is the GDPR?

The GDPR, or General Data Protection Regulation, is the European text that came into application in May 2018. It substantially raised the bar for privacy and now serves as a model for many laws around the world, including Quebec's Law 25.

It is not merely a privacy policy: it is an accountability framework that requires organizations to demonstrate, with evidence, how they protect personal data.

Why it matters for your organization

The GDPR applies as soon as an organization processes the data of individuals located in the European Union, regardless of where it is based. Penalties are dissuasive, but the stakes go beyond the fine: a breach exposes you to loss of customer trust and restrictions on data transfers.

The regulation introduces the accountability principle: being compliant is not enough, you must be able to prove it at any time.

The key principles

  • Lawfulness, fairness, transparency: process data on a clear and understandable legal basis.
  • Purpose limitation: collect only for specified purposes.
  • Minimization: process only strictly necessary data.
  • Individual rights: access, rectification, erasure, portability, objection.
  • Security and notification: protect data and report breaches within 72 hours.
  • Transfer safeguards: ensure an adequate level of protection outside the European Union.

Where organizations most often fall short

Common gaps are not in the published policy but in execution: an incomplete record of processing activities, undefined retention periods, processors without a compliant contract, or an inability to answer a rights request within the deadline. The GDPR is won through continuous evidence, not statements of intent.

Frequently asked questions

Does the GDPR apply to companies outside the European Union?

Yes. The GDPR has extraterritorial reach: it applies to any organization that processes the data of individuals located in the European Union, whether it offers them goods and services or monitors their behavior, even if the organization is established elsewhere.

What is the difference between the GDPR and Quebec's Law 25?

Both regimes share the same founding principles. The GDPR is the European framework; Law 25 is specific to Quebec, with its own authorities, penalty thresholds and specific obligations such as the privacy impact assessment. Being compliant with one does not guarantee compliance with the other.

Related resources

On the platform

Free assessments

Related terms

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.