The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Since the Regulation applies regardless of where websites are based, it must be heeded by all sites that attract European visitors, even if they don't specifically market goods or services to EU residents.
The GDPR mandates that EU visitors be given a number of data disclosures. The site must also take steps to facilitate such EU consumer rights as a timely notification in the event of personal data being breached. Adopted in April 2016, the Regulation came into full effect in May 2018, after a two-year transition period.
Under the rules, visitors must be notified of data the site collects from them and explicitly consent to that information-gathering, by clicking on an Agree button or other action. (This requirement largely explains the ubiquitous presence of disclosures that sites collect "cookies" - small files that hold personal information such as site settings and preferences.)
Sites must also notify visitors in a timely way if any of their personal data held by the site is breached. These EU requirements may be more stringent than those required in the jurisdiction in which the site is located.
Also mandated is an assessment of the site's data security, and whether a dedicated data protection officer (DPO) needs to be hired or an existing staffer can carry out this function.
Information on how to contact the DPO and other relevant staffers must be accessible so that visitors may exercise their EU data rights, which also include the ability to have their presence on the site erased, among other measures. (Naturally, the site must also add staff and other resources to be capable of carrying out such requests.)