This is a European Union law first created in 2016. Its entire purpose is to deal with data privacy. It applies to any entity (business, government agency, etc.) that either collects data or processes that data. Even if an organisation is not within the EU, if it has EU data, then GDPR applies.