What is GDPR and why does it matter for security?

The GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law (effective May 2018) that applies to any organization processing personal data of EU residents, regardless of where the organization is based. Security requirements under GDPR: (1) Data protection by design and default: build privacy into systems from the start. (2) Appropriate technical measures: encryption, pseudonymization, access controls. (3) Breach notification: notify supervisory authority within 72 hours of discovering a breach; notify affected individuals without undue delay. (4) Data minimization: collect only what is necessary. (5) Right to erasure ("right to be forgotten"). Non-compliance penalties: up to €20 million or 4% of global annual turnover (whichever is higher). GDPR has influenced privacy laws worldwide (CCPA, PIPEDA). Security teams must ensure technical controls align with GDPR's requirements.