Who does the GDPR effect?
The GDPR applies to any company processing the personal data or monitoring the behavior of citizens who reside in the European Union. Called 'increased territorial regulatory scope,' or extra-territorial applicability, it specifies that the regulations, penalties and fines are enforceable for data breach infractions within all 28 member states of the European Union, but also for any organizations controlling, processing or transferring the data of EU data subjects – no matter where the data controller or processor is geographically based.
"GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well."
Bart Williamson, Gartner
Do U.S. Organizations Need to Comply?
Yes. Companies across the EU and U.S.-based companies alike must change how they conduct certain business processes, provide access to consumer data across their internal organization, how they communicate about and request consent to process consumer data, erase and record processing of consumer data and how they protect the privacy of citizens in the handling of sensitive data.
Organizations must understand fully how data is processed, where it is being processed, who is processing and storing data (including third party applications), and demonstrate the ability to erase data no matter where it exists.
Most importantly, companies will be required to follow specific steps in the event of a data breach. Companies will be required to notify regulatory authorities and data subjects of any breach of personal data within 72 hours of the discovery the breach.