GDPR is about SO much more than this !  (This is by no means a complete list and is not given with any warranty of legal correctness) 1) Anyone, anywhere in the world, processing personal data for any individual based in the EU needs to comply with GDPR. In theory, this covers pretty much any website anywhere in the world but unless you are based within the EU or are a larger company, there are questions over how it will be enforced but if information is disclosed illegally, for example via