The General Data Protection Regulation or the GDPR is a European Union legal instrument ensuring the protection of individuals with regard to the processing of personal data and on the free movement of such data. After entering into force on 24 May 2016, it became binding and directly applicable in its entirety in all Members States of the European Union on 25 May 2018.
The GDPR requires that those who engage in the processing of personal data comply with its provisions and confers important rights to individuals whose personal data are being processed. Both natural persons and legal persons, including companies and governments, that are involved in the processing are required to act in accordance with the regulation. Possible non-compliance could cost them significant amounts of money and lead to court proceedings and reputational damage.
Companies and others who deal with personal data can be based outside the EU but, when they process personal data of EU citizens or residents, they are expected to organise their activities in line with the GDPR. The regulation is also applicable to those who have an establishment in the EU and are involved in the processing of personal data. It means that a large number of individuals, corporations, public authorities and others are significantly affected by the GDPR and need to be aware of its complexities and requirements.