If a business collects or processes information about individuals in the European Union, the EU General Data Privacy Regulation (GDPR) likely applies to the business.
The recently enacted GDPR applies to “controllers” and “processors” of personal data. A controller is one who determines the purposes and means of processing personal data. A processor acts on the controller’s behalf to process personal data.
The GDPR requires controllers and processors, independent of each other, to comply with significant restrictions on how personal data is collected and stored, and significant requirements for data security, record keeping and breach notification practices.
A business that believes the GDPR may apply to its operations should consider a thorough data practices audit as a first step in assessing its potential compliance obligations.