Glossary

GDPR

GDPR (General Data Protection Regulation) is the EU law governing personal data protection, with major implications for vendor security reviews and DDQs.

Definition

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation enacted by the European Union that governs the collection, processing, storage, and transfer of personal data of EU residents. It applies to any organization worldwide that processes EU personal data.

Context

GDPR has a significant impact on security questionnaire workflows. Buyer questionnaires frequently include GDPR-specific questions about data processing agreements (DPAs), data subject rights, cross-border data transfers (including Standard Contractual Clauses), data retention policies, breach notification procedures, and Data Protection Impact Assessments (DPIAs). Vendors serving European customers must demonstrate GDPR compliance in their questionnaire responses and maintain appropriate documentation for the compliance pack.

Why it matters

The General Data Protection Regulation is the European Union's comprehensive data protection law governing the collection, processing, and transfer of personal data belonging to individuals in the EU and EEA. It applies to any organization worldwide that processes such data, regardless of where the organization is established. Key principles include lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and accountability. Controllers must establish a legal basis for each processing activity and maintain records of processing activities documenting data flows.

For organizations responding to security questionnaires, GDPR introduces specific operational requirements that buyers regularly probe. These include Data Protection Impact Assessments for high-risk processing, mandatory 72-hour breach notification to supervisory authorities, data subject access request fulfillment within one month, and Data Processing Agreements with all sub-processors. A persistent challenge is international data transfers: following the Schrems II decision, organizations must implement approved transfer mechanisms such as Standard Contractual Clauses supplemented by transfer impact assessments for each recipient country.

Enforcement across EU member states has matured considerably, with supervisory authorities imposing substantial fines and issuing binding orders that require operational changes. Penalties can reach four percent of global annual turnover or twenty million euros, whichever is greater. Beyond fines, data protection authorities have ordered processing suspensions that directly disrupt business operations. Vendor security reviews increasingly include GDPR-specific sections verifying sub-processor lists, data residency commitments, and breach notification SLAs as contractual requirements rather than optional compliance gestures.

Related terms

HIPAACompliance PackSecurity QuestionnaireVendor Risk AssessmentData Processing Agreement (DPA)

Learn more

Security Questionnaire SoftwarePrivacy Policy

Automate your security questionnaire workflow

VeriRFP uses evidence-backed AI to draft security questionnaire responses with deterministic citations from your approved documentation.
Try VeriRFP freeQuestionnaire automationBack to glossary

Privacy controls

We use essential cookies for sign-in and service operations. With your permission we also load analytics to understand how teams use the product. Analytics stay off until you accept. See our Privacy Policy.