GDPR

GDPR grants EU data subjects rights over their personal data — access, rectification, erasure (“right to be forgotten”), and portability — and requires a lawful basis to process it. It applies extraterritorially to any organization handling EU residents’ data, regardless of where the org is based. Teeth come from a 72-hour breach-notification requirement and fines up to the greater of €20M or 4% of global annual revenue.