The General Data Protection Regulation (“GDPR”) has extraterritorial reach, meaning that many organisations based outside the European Economic Area (“EEA”) and the United Kingdom (in the case of the UK GDPR) must comply with GDPR obligations for personal data processing activities which fall within the territorial scope of Article 3 of