The General Data Protection Regulation (GDPR) sets rules for processing personal data of people in the EU and UK. It requires transparency, lawful bases for processing, data subject rights, privacy by design/default, strong security, vendor management, and governance. Non-compliance can lead to fines up to €20M or 4% of global annual revenue (UK: the higher of £17.5M or 4%), plus orders and reputational damage.