On May 25, 2018 the General Data Protection Regulation (GDPR) will go into effect. The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the European continent. Although this law comes from the European Union (EU), it will have a global impact. It will affect any business holding personal data on customers, prospects or employees based in the EU.
To be clear, if the personal data is processed in respect to an activity or transaction within the EU territory, it is covered by GDPR. The law is one based on territory not citizenship/residency. A couple of examples:
1) A US tourist is visiting the EU and makes an online purchase at a local store. This activity is subject to GDPR.
2) An EU citizen/resident is visiting the US. They order a pizza online from a local pizza place. This activity is not subject to GDPR.