What is the GDPR?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. It was drafted and passed by the European Union (EU) but it imposes obligations onto organizations anywhere, as long as they target or collect data related to people in the EU.
If you process the personal data of EU citizens or residents or offer goods or services to them, then the GDPR applies to you, even if you aren't based in the EU. There are two levels of fines, up to a maximum of €20 million or 4% of global turnover (whichever is higher), and data subjects have the right to claim damages.
You're required to keep data secure by taking "appropriate technical and organizational measures".
Technical measures mean everything from requiring your employees to use two-factor authentication for accounts where personal data is stored to contracts with cloud providers that use end-to-end encryption.