GDPR is a major piece of legislation coming out of the European Union that regulates the processing of personal data, which could significantly impact businesses regardless of their location. The regulation defines "data subjects" as identified or identifiable natural persons and outlines two main roles: controllers and processors. Controllers are those who determine the purposes and means of personal data processing for their own business needs, while processors act on behalf of controllers, following their instructions only. Businesses must map out what personal data they process to determine whether they are acting as a controller or processor, as their obligations under GDPR depend on these roles.