Protecting personal data has been an important issue in the European Union (EU) for more than 20 years, and the recently ratified General Data Protection Regulation (GDPR) takes data protection in 2018 to an entirely new level. In addition to a new set of legal requirements that necessitate both organizational and technological responses, the GDPR is applicable to almost every organization around the world that collects or processes data on residents domiciled within the EU, including permanent residents, visitors and expatriates.
Compliance is thus predicated on the geographical location of the individuals about whom an organization holds personal data, not the domicile of registration for the organization.
This represents a sea change in how organizations must protect the personal data of anyone in the EU, and it may have implications for how they protect the personal data of non-EU residents, as well. Hence, the “General” Data Protection Regulation could better be called the “Global” Data Protection Regulation, and considering the financial penalties associated with non-compliance, requires serious attention and action from all organizations doing business across Europe (including the United Kingdom post-Brexit), both in the EU and in the European Economic Area (EEA).