GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for EU residents. This legal framework replaces the current EU Data Protection Directive (95/46/EC) with additional requirements that you need to be made aware. The new EU data protection regime extends the scope of the EU data protection law to all companies even outside the EU when they process data of EU residents.
GDPR is effective right now and officially took effect from 25th May 2018, at which time those companies or organisations in non-compliance may be subject to fines.
GDPR applies to persons and entities of all sizes that process personal data of EU residents, regardless of where they are based. These regulations apply to both data controllers and data processors, including third parties such as cloud providers.
It applies to all 28 EU member states and to entities and organisations outside the EU when processing the data of citizens within it.
The maximum penalty for organizations in non-compliance with GDPR can be up to €20 million or 4% of annual global turnover, whichever is greater. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.