The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.

• It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
• When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
• It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.
• Unlike a directive, it does not require national governments to pass any enabling legislation and so it is directly binding and applicable.
• GDPR extends the scope of EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 2% of worldwide turnover or €10 million, whichever is higher.
• The GDPR also brings a new set of "digital rights" for EU citizens in an age of an increase of the economic value of personal data in the digital economy.

• The regulation applies if the data controller, an organisation that collects data from EU residents, or processor, an organisation that processes data on behalf of a data controller like cloud service providers or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU.
• According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
• The regulation does not purport to apply to the processing of personal data for national security activities or law enforcement of the EU; however, industry groups concerned about facing a potential conflict of laws have questioned whether Article 48[9] of the GDPR could be invoked to seek to prevent a data controller subject to a third country's laws from complying with a legal order from that country's law enforcement, judicial, or national security authorities to disclose to such authorities the personal data of an EU person, regardless of whether the data resides in or out of the EU.
• Article 48 states that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may not be recognised or enforceable in any manner unless based on an international agreement, like a mutual legal assistance treaty in force between the requesting third (non-EU) country and the EU or a member state.
• The data protection reform package also includes a separate Data Protection Directive for the police and criminal justice sector[10] that provides rules on personal data exchanges at national, European, and international levels.