The GDPR or General Data Protection Regulation is a legal framework that harmonizes the rules surrounding how European residents’ data is collected, stored or processed. It applies to any organization anywhere in the world that conducts business within the European Union (EU) and became law on May 25, 2018.

Regardless of its size, if your business operates directly or indirectly in any of the 23 states and countries that comprise the EU, it must comply with the GDPR. This means it can only collect and process personal data relating to a customer or website visitor under certain clearly communicated circumstances. Companies have a legal responsibility to explain what data they are collecting and why.

As well as transparency around data collection, organizations must also make any stored data available to the individual in question – customers have the right to demand their personal information be altered, updated, deleted or transported to another organization or entity.

While in the event of a data breach, a business must inform any affected customer within 72 hours that their information may have been compromised. Non-compliance with the GDPR can result in large financial penalties of up to €20 million (~$25 million) or 4% of a company’s annual global turnover, whichever is the greater.