GDPR is the European Union’s comprehensive data protection law intended to protect the privacy and security of EU residents’ personal data. With the incorporation of GDPR throughout the European Union and the European Economic Area, GDPR is now in force in 28 countries in the EU and 3 additional countries of the EEA. GDPR covers a broad range of “personal data,” and requires businesses to honor individual rights, including erasing personal data when it is no longer used. Businesses must not process personal data without a lawful basis under GDPR.
U.S. and other foreign businesses need to comply with GDPR if they have operations in Europe, market products or services in Europe, monitor the behavior of European residents, or process data for covered businesses. Fines for violations are potentially heavy. Noncompliant businesses can be fined up to 20 million euros ($23.5 million) or 4 percent of their global revenues, whichever is greater.