Last year, I wrote an article that discussed the implications of the European Union’s (EU) General Data Protection Regulation (commonly referred to as GDPR), which came into effect last May. GDPR’s goal was to create and to ensure the rights of European Union and European economic area citizens to protect their personal data. In the wake of numerous data breaches and many company’s morally gray handling of their customers’ personal data, the implementation of the GDPR gives people the chance to understand better and control the dissemination and use of their personal data. The regulation also insists upon a high level of care from any data handler so that personal information is better protected.

Although a European regulation, the GDPR has affected American companies and, as it appears, has also begun to shape American law and policy. GDPR’s strict regulations and rules do not simply apply within the EU and the European economic area—it affects anyone who does business with a person living in those countries or anyone who otherwise monitors the behavior or data of these residents. Consequently, many companies, both large and small, have had to employ data protection officers to comply with GDPR, as violations of the regulation can result in costly penalties.