GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it became enforceable May of 2018.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to EU citizens. It applies to all companies processing and holding the personal data of people residing in the European Union, regardless of the company’s location.