Effective May 25, 2018, the GDPR (General Data Protection Regulation) is a new data protection law that regulates how organizations protect the personal data of people residing in the European Union.

The GDPR covers all the European Union member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.

Since the United Kingdom is still part of the European Union (currently, the UK is due to leave the European Union on Oct. 23, 2019 at 23:00 GMT), the Channel Isles, England, Northern Ireland, Scotland, and Wales are also governed by the GDPR. In addition to the member states, the GDPR covers the European Economic Area countries: Iceland, Lichtenstein, and Norway.

Although the GDPR is a European Union regulation, non-EU organizations with offices in EU countries or that collect, store, and process the personal data of EU data subjects (individuals living in the EU) are still required to understand its implications and ensure they are in compliance. A company’s physical location doesn’t exempt it from GDPR compliance

See also

Automating GRC: The Next Frontier in Risk Management


The EU doesn’t consider United States data protection laws stringent enough to offer its citizens adequate protection. Consequently, only U.S.-based organizations certified under the EU-US Privacy Shield agreement will be able to transfer data from the EU. 

Data can be transferred only when the EU Commission has determined that the destination of the transfer “ensures an adequate level of protection.” Data transfers can also happen if the receiving entity can show that it meets this “adequate level of protection,” subject to a review every four years. 

The necessary protections could include:

  • data protection clauses approved by the commission 
  • agreements between public authorities that are legally binding
  • certifications approved by the commission 
  • binding corporate rules enforced across different entities within the same corporate group

Automating GRC: The Next Frontier
in Risk Management