By Seth Berman ( January 23, 2018, 12:11 PM EST) -- The European Union's General Data Protection Regulation takes effect in May 2018. Multinational companies have been working on implementing the GDPR for months, but a surprisingly large number of smaller companies are only beginning to realize that the regulation might well impact them as well. Indeed, GDPR applies to any company that offers services in the EU and processes personal data about EU subjects, even if those companies do not have a physical presence in Europe. In fact, the regulation's scope is even larger than it first appears as the EU definition of "personal data" goes far beyond the types of data traditionally thought of as "personal" under U.S. privacy laws (such as name, address, date of birth, medical information or financial information). Under EU privacy law, personal data also includes less personal-seeming details of individuals including web browsing history, email addresses, social media posts or IP addresses. Given the very significant fines companies can face for GDPR violations — the greater of 20,000,000 euros or 4 percent of global revenue — all companies that are subject to GDPR must take immediate steps to comply....