GDPR

The General Data Protection Regulation (GDPR) is the EU's comprehensive privacy regulation, effective since 2018, governing how organisations process personal data of EU residents. Key requirements: lawful basis for processing, data minimisation, subject rights (access, rectification, erasure, portability, objection), breach notification within 72 hours, Data Protection Officer for many organisations, and the EU Data Boundary for data residency. Microsoft 365 supports GDPR compliance through Microsoft Priva (subject rights requests, privacy risk management), Microsoft Purview (data classification, retention, eDiscovery), EU Data Boundary (data processed and stored within the EU), and the Microsoft Data Protection Addendum in licensing agreements. Non-compliance fines can be substantial — up to 4% of annual global revenue.