Scroll to the bottom to watch Part I of “GDPR Explained.”

May 25, 2018 should be circled, circled again and circled once more for good measure in bright red marker on every marketer’s calendar. It’s the day the General Data Privacy Regulation (GDPR) goes into effect. After that, any company that processes European personal data—even if it does not exist in Europe itself—can face massive fines and even jail time if it’s found to be in breach of the law.

According to Forrester’s predictions, 80 percent of GDPR-affected firms will not comply in time and risk shelling out as much as €20 million or 4 percent of global revenue for the year, whichever is higher. Of those companies making an active effort to comply with the new law, 77 percent expect to spend more than $1 million on completely overhauling the way they handle data.

User Rights

On a fundamental level, GDPR completely shifts the legal status of people’s personal information. As of May 25, EU citizens will legally and permanently own any identifiable information about themselves, such as race, sex, location—just to name a few. Any company that wants access to their information will have to ask for consent in clear and plain language and must specify exactly how it will use that information.

In essence, companies will only be able to borrow personal information. GDPR introduces a policy known as “the right to be forgotten,” meaning that if a person withdraws their consent, the company must completely erase any and all of their personal data “without undue delay.” Furthermore, people will have the right to know exactly what about them is being collected, how it’s being used and how long the company will store the information.

And because it’s the people who own their data, companies can’t say that any information they have on someone is proprietary. If a user asks, a company is required to give them a copy of its records and has no recourse if that user chooses to share that information with its competitors.

Company Responsibilities

Not all of GDPR’s provisions center on reacting to the changing wishes of EU citizens—large portions of the law establish concrete guidelines for how companies can interact with the data that they get their hands on, all of which value security and privacy over all else.

A central tenet of the law is called “privacy by design,” which mandates that companies take data privacy into account at all stages of any project that involves personal information. This means that firms will not be allowed to tack on data privacy features to existing systems; they will have to rebuild them from the ground up with data protection in mind.

But even with the best security systems, breaches can still occur due to circumstances outside of a firm’s control. To account for this possibility, GDPR requires companies to take a highly proactive approach to their data security: they are permitted to collect only the information they need and give access only to those people who need it. Additionally, companies must delete personal data as soon as it stops being useful for the purpose they originally obtained user consent for.

To ensure compliance, companies will also be required to keep detailed records on the types of data they collect, what they do with it and what systems they use to handle that data.

In the event of a data breach, companies must notify GDPR regulators within 72 hours, and in severe cases will have to inform every person whose information was exposed. If the company is found to be at fault, any other organization that entrusted it with personal data can also be penalized.

Data Protection Officers

For companies that collect data on a large scale or process information deemed to be “special” under GDPR—information about medical or criminal records, union membership, religious or political beliefs, race, ethnicity, genetics and biometrics and sexual activity and orientation—Data Protection Officers (DPOs) are mandatory.

DPOs are specialized attorneys intended to be internal watchdogs at data-processing companies. GDPR requires DPOs to educate company executives on what they need to do to stay compliant and, in the case of intentional disregard for the law, blow the whistle on offenders.

These attorneys don’t necessarily need to be in-house. If a DPO can feasibly do their job off-site or as a consultant, companies can contract out the position to a qualified freelancer.

Companies that need to hire DPOs will also be required to conduct something called a “Data Protection Impact Assessment” (DPIA) on the information they process. If a security breach would likely cause a “high risk” to those whose data has been collected, firms must work individually with GDPR regulators to ensure that the information stays safe.

The General Data Protection Regulation is a landmark bill, the first update to the EU’s privacy laws since 1995. Though the full scale of its effects is unknown, organizations such as the Interactive Advertising Bureau have already established industry standards and best practices for those businesses seeking to stay compliant.