The GDPR applies to all private and public enterprises, as well as to government authorities that in any way manage personal data. It therefore concerns practically all businesses, inside and outside the European Union, as long as the data concern European citizens.

Businesses are now also required to deal formally with the protection of personal data they manage, following specific security procedures. Some of the obligations for businesses are: To collect personal data for a specific purpose and in a specific way, without subjecting them to further processing in a manner incompatible with their purpose, updating them, storing them for the minimum amount of time required and obtain the consent of natural persons. In addition, each enterprise must develop electronic tools to ensure the security of personal data and keep records and notify each infringement within a specified time. Every business is required to be able to demonstrate in writing that it complies with all the requirements defined by the GDPR.

In the event of an offense, excessive fines are foreseen, which, depending on the size and nature of the offense, may amount to up to EUR 20 million or 4% of the world's annual turnover of the company.