The General Data Protection Regulation (GDPR) is a comprehensive data protection law enacted by the European Union (EU) that governs how personal data of individuals in the EU and European Economic Area (EEA) must be collected, processed, stored and shared. It came into effect on May 25, 2018, and applies not only to organizations within the EU, but also to any organization worldwide that offers goods or services to, or monitors the behavior of, individuals in the EU.

The primary objective of GDPR is to give individuals greater control over their personal data and to ensure that organizations handle this data transparently, securely and responsibly. Under GDPR, personal data includes any information that can directly or indirectly identify a person, such as names, email addresses, identification numbers, location data and online identifiers.

Key principles of GDPR include lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Organizations must also uphold individual rights, such as the right to access, rectify or erase personal data, and the right to data portability or object to processing.

In the context of KYC compliance, GDPR plays a critical role by setting strict requirements on how personal and sensitive information - such as customer identification and verification data - is handled. Failure to comply with GDPR can result in substantial fines, reputational harm and legal action.

To read the actual text within the GDPR, go to https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng