We’ve been getting lots of questions from public agencies about the General Data Protection Regulation—known as GDPR.

GDPR is a new European Union privacy law that governs the processing of personal data about people residing in Europe. It just went into effect on May 25.

Personal data is anything that identifies or could identify an individual residing in the EU, such as first and last name, home address, or IP addresses.

For the most part, GDPR protects personal data in three scenarios:

First, if a public agency has a physical presence in the EU and is handling personal data. Second, if a public agency is outside the EU and is trying to attract customers from Europe. For instance, when a public agency has a website in French and accepts payment in Euros. Third, if a public agency is monitoring the behavior of an individual in the EU. For instance, when a public agency’s website uses persistent cookies that track users in the European Union after they leave the website.

These three scenarios are not likely to impact public agencies.

The EU should be issuing guidance later this year, likely in November. We will keep you posted on any updates.

By Catherine J. Groves of HansonBridgett