The far-reaching General Data Protection Regulation affects roughly two-thirds of the world’s business leaders.

The GDPR (2016/679), the European Union’s new privacy rule, went into effect on 25 May 2018. This sweeping regulation applies to all organisations within the EU—as well as those outside the EU if they offer goods or services to, or monitor the behavior of, individuals residing in the EU.

This sea-change regulation significantly changes how companies may collect and use the personal data of EU residents. And penalties for violating the GDPR are steep: up to the greater of 4% of a company’s global revenue or 20 million Euros (nearly $23.5 million).