On May 25, 2018, when the European Union’s landmark General Data Protection Regulation (GDPR) is scheduled to take effect, few, if any, financial institutions will be confident they’re in full compliance, here or abroad. The sweeping mandate — containing 99 articles and 173 recitals — basically covers everyone who resides in the EU.1 It also protects a broader set of personal data beyond the Social Security numbers, dates of birth, and addresses that are usually considered personally identifiable information in the United States. In the context of GDPR, personal data2 are defined as “any information relating to an identified or identifiable natural person.” That may include IP addresses; “social media posts; photographs; lifestyle preferences; and transaction histories” — regardless of format, digital, paper, audio, or otherwise.3,4 In short, FIs should assume that GDPR could potentially cover all of the data it stores on behalf of its customers and employees — especially dual citizens and overseas website visitors.