Who is impacted?
The regulations apply to companies based and with offices located in the European Union. That includes both companies that collect data on EU residents and those that process data on behalf of those companies (such as CSPs). However, due to what the GDPR calls "extraterritoriality," it will also apply to companies that collect or process data on EU citizens, even if they are not physically located in the EU. The EU defines personal data as "any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."