Whether you’re a family bakery in Estonia that keeps a list of local delivery addresses, or a multinational giant headquartered outside Europe that sells globally online, the EU’s General Data Protection Regulation almost certainly applies to you. Welcome to our What is… series, where we turn technical jargon into plain English. GDPR is short for General Data Protection Regulation, and it’s the name of a law in the European Union (EU) that sets out to protect the rights of individuals in respect of their data. Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply. Whether you’re a family bakery in Estonia that keeps a list of local delivery addresses, or a multinational giant headquartered outside Europe that sells globally online, GDPR applies to you. GDPR was adopted as an EU law in April 2016, but the regulators decided to give us all plenty of time to become compliant, so the law only takes effect in May 2018. That’s just as well, because although it’s officially just “a regulation”, GDPR runs to 11 Chapters, 99 Articles and several hundred pages of legislation. Indeed, GDPR covers a lot more issues than many people realise. You’ll often hear GDPR mentioned as though it were concerned mainly with mistakes – in other words, that it’s mostly about data breaches and data breach notifications. In fact, only three of the 99 Articles actually deal with breaches, because GDPR is more of a digital privacy lifestyle guide, covering all aspects of personal data and how you use it. Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply. Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in. At the very worst, GDPR penalties can go up to €20,000,000 or 4% of your global annual turnover, whichever is bigger. Of course, the regulators aren’t compelled to impose penalties that large, and it is reasonable to assume that they won’t blindly plump for the maximum every time, so we shan’t know how big the fines are likely to be until the first few have been handed out. In short: GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply. Oh, to be clear: GDPR applies in the UK, which is currently part of the EU, and will effectively apply even after the UK leaves the EU, because the government plans to pass a local law that will mirror GDPR.