Compliance is key
The territorial scope of data protection legislation is very broad. In addition to EU-based companies, anyone actively offering goods or services to citizens in the EU is caught by the GDPR, as well as non-EU companies who are monitoring of the behavior of individuals in the EU.
The practical implementation of the various GDPR requirements (appointment of a Data Protection Officer, internal record-keeping, drafting of privacy policies and data transfer or data processing agreements, mapping of data flows, etc.) is challenging. Achieving compliance often requires business processes and company practices to be re-examined and redesigned. The link and collaboration between legal, HR, IT, sales, etc. is often also crucial.
Data protection compliance can on the other hand be seen as a business opportunity, presenting a competitive advantage for companies doing business in the European Union. Where personal data have become a global currency, the secure and responsible handling of such data has become key.
In addition, as compliance goes hand in hand with enforcement, companies should also be ready to handle complaints from individuals, disgruntled employees or even competitors. Being able to adequately communicate with the authorities, and to defend your case in the context of an investigation or enforcement scenario, should be an indispensable part of any compliance project.