The scope and scale of Equifax’s recent data breach and Facebook’s ongoing data-sharing travails have forced companies around the world to consider, perhaps more than ever before, the legality of how they obtain and process information about individuals. Many are struggling to understand what rules apply to them.

The most significant of these rules is a new European privacy law called the General Data Protection Regulation. Many businesses have been preparing for more than a year in advance of the GDPR’s May 25, 2018, enforcement date, and countless others are just now becoming aware of how it applies to the personal information they use.

In general terms, the GDPR means that European privacy protections often follow European personal information, with new restrictions and obligations, regardless of where the organization or data is located. Here are some helpful questions to ask yourself, to determine whether the GDPR might apply to your organization:

  • Do you have employees (or contractors) in Europe?
  • Do you sell directly to European consumers?
  • Do you sell via a distribution network, or via retailers, in Europe?
  • Do you host applications or data for your own clients that do business in Europe?
  • Do you have B2B and/or B2C marketing lists, client lists, or leads that include Europeans?

If you answered yes to any of the above, then the GDPR likely applies to your business. If you are uncertain, or if these questions trigger others that you may have, it is worth discussing.

Non-compliance with the GDPR can result in fines of up to the higher of 4% of worldwide revenue or €20 million ($24 million). More importantly, European businesses will likely not continue business with non-EU organizations that are not GDPR-compliant. The risk for them is too high under the new rules.