European Union regulation governing data privacy and protection for individuals within the EU and EEA, requiring organizations to implement privacy by design and report data breaches within 72 hours.
GDPR significantly impacts insider risk management through requirements for data minimization, access controls, and breach notification. Article 32 mandates technical and organizational measures including pseudonymization, encryption, and regular security testing. Insider incidents involving personal data can result in fines up to €20 million or 4% of annual revenue. Organizations must balance insider threat monitoring with data subject privacy rights and consent requirements.