The General Data Protection Regulation (GDPR) is an EU regulation establishing a harmonized set of rules for the processing of personal data to ensure a high level of protection for individuals' data privacy rights. It became enforceable on May 25, 2018, superseding the 1995 Data Protection Directive. The regulation's extraterritorial reach means it applies to all entities that process the personal data of data subjects located within the EU/EEA, regardless of the company's location, if they offer goods or services or monitor behavior there. Organizations must adhere to principles such as lawfulness, fairness, and transparency, and are held accountable for compliance. The potential penalty for severe violations can be up to 4% of the company's annual global revenue or €20 million, whichever is greater.