Do you offer services to people in the EU? Do you monitor behavior, including online activity, of people that reside in the EU? Do you process personal data on EU residents?

Are you a data processor or a data controller?

Early in Q1 a survey will be coming from Omnicom Legal. It will ask questions about what kinds of data you have, where you get the data from, where you store the data, and how it is transferred. Cross-border data flows are vital to document.

The EC strongly advised to find a certified professional, with a CIPM, CIPP/E, or similar. The DPO will assist in ongoing compliance efforts and needs to be connected to all in-scope business activities. This can be a person, or provided "as a service". Awareness campaigns and architectural decisions are integrated through the DPO.

Businesses will need to demonstrate awareness and implementation of appropriate mechanisms, including breach response, privacy impact analyses, cross-border transfer mechanisms such as model clauses, and technical mechanisms to ensure data subject consent and registration in transparent terms.

Data subjects have a wide variety of rights under the GDPR. They cannot consent to give up these rights. There is no longer such a thing as opt-out only (e.g. tacit approval is insufficient). You need documented mechanisms and procedures to ensure that inquiries and requests are processed in a timely manner; this must be auditable.