Who has to comply?

The regulation will be applied directly and equally in all 28 European Union countries, to all private businesses, state administration and other organisations that hold and process personal data. These entities have had over two years – since 27 April 2016 – to prepare for compliance.

But the regulation also applies to companies and organisations operating outside the EU: If a company or organisation processes the personal data of individuals living within the EU, it has to comply with the GDPR – no matter where that company or organisation is based.