The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address, bank details or location data.
Depending on the severity of non-compliance, companies can expect to be fined up to 2% of annual global turnover or €10 million (whichever is highest) for failing to comply with GDPR. For more serious data breaches, companies can be fined up to 4% of annual global turnover or €20 million. Importantly these rules now apply to both controllers and processors.