General Data Protection Regulation (GDPR)
The General Data Protection Regulation is the European legal framework governing the collection, processing, and storage of personal data. Effective since 25 May 2018, it applies to any organisation handling data of EU residents, with fines of up to 4% of global annual turnover.
The GDPR has fundamentally reshaped how businesses manage personal data in Europe and beyond. It establishes six core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. Every organisation must be able to demonstrate compliance at any time.
For KYC and compliance professionals, the GDPR creates a delicate balance between the obligation to verify customer identity (mandated by anti-money laundering directives) and the need to protect personal data. Companies must establish clear legal bases for each processing activity, implement proportionate retention periods, and uphold data subject rights including access, rectification, and erasure.
Data protection authorities (ICO in the UK, CNIL in France, BfDI in Germany) enforce the regulation and can impose substantial penalties. In 2023, Meta received a record EUR 1.2 billion fine for unlawful data transfers to the United States, demonstrating the regulation's extraterritorial reach.
Regulations
Real-world examples
- 1.An online bank must obtain explicit consent from customers before sharing their KYC data with a third-party identity verification provider, and document this legal basis in its record of processing activities.
- 2.An insurance company receives a data subject access request: it must provide a complete copy of all information held within one month, including identity verification results.
- 3.A fintech detects a data breach affecting 5,000 users: it has 72 hours to notify the supervisory authority and must inform affected individuals if the risk is deemed high.