Organizations worldwide have new EU data privacy rules they must follow or face serious consequences. The new EU General Data Protection Regulation (GDPR), which came into force in May 2016, will carry EU data protection law forward, well into the next decade, and will impact almost every EU-based organization, as well as every organization doing business in the European Union, even if based abroad.

The GDPR introduces major changes to the compliance burden organizations must bear. It requires greater openness and transparency, imposes tighter limits on the use of personal data and gives individuals more powerful rights to enforce against organizations. Satisfying these requirements will be a serious challenge for many organizations.

Compliance with the GDPR must occur by a May 25, 2018 deadline. An organization's failure to meet this deadline may result in enforcement action under the GDPR, including possible fines up to the greater of €20 million or 4 percent of annual global turnover.

Early planning is essential in order to meet the deadline. Organizations will find it very difficult to bring their business operations into compliance with the GDPR ahead of the deadline unless they take its requirements seriously and commit sufficient time and resources to satisfying those requirements. Because the GDPR affects almost all of the ways in which an organization processes personal data, the scale of this task should not be underestimated.