We’re just weeks away from one of the most significant changes ever to online privacy, and businesses around the world are working hard to make sure they’re prepared. The General Data Protection Regulation, better known as GDPR, goes into effect on May 25th, 2018. It’s a sweeping set of laws being enacted by the European Union, but you don’t have to be in the EU to feel its impact.

Here are three things you should know about GDPR:

1. GDPR Probably Affects You—Even If You Aren’t in the EU

Don’t let the fact that GDPR is tied to the EU fool you. This order will affect businesses all over the world.

The reason? GDPR is designed to protect the data of EU-based individuals—and so it applies to any organization that handles EU-oriented data, regardless of where the organization itself is located.

In other words, if your company touches the data of even a single EU-based individual, it’s up to you to have proper protections in place.

2. GDPR covers protection of personal data—and its regulations are broad

“Personal data” is a vague term, and GDPR’s definition is about as broad as it gets. Under the regulation, any information that could be used to identify a person in any way, even indirectly, is covered. That means names, email addresses, photos, ID numbers, and financial info are all included. So, too, are IP addresses, social network posts, and web-based cookie data.

Heck, if something is even remotely relevant to the “physical, physiological, genetic, mental, economic, cultural, or social identity” of a person—to use the GDPR’s own language—it counts.

For example, companies can store or process affected data only when the associated individual explicitly authorizes it—and even then, GDPR puts firm limits on the length of time the data can be kept. In addition, the law also requires companies to erase a person’s data upon request and to report any data breaches to both authorities and anyone affected within 72 hours of a breach’s discovery.

3. Now’s the Time to Finalize Your GDPR Compliance Plan

I can’t provide you with legal advice—but generally speaking, I’d encourage you to review all services and contracts connected to third-party companies in order to confirm GDPR compliance. I’d also recommend consulting with your own legal counsel to figure out what GDPR requirements apply to you and how you can best address them.

May 25th is coming up fast! For more information on GDPR, you may wish to refer to the European Commission’s website.