This year the European Commission is taking a major step to standardise online privacy protections for its citizens. The General Data Protection Regulation (GDPR) requires businesses to comply with new rules for collecting, sharing, and protecting personal data within the borders of the European Union (EU) or when exporting information internationally.

The new rules that the GDPR will bring into force are intended to safeguard consumers. These protections include regulations on exporting personal data outside the EU, the introduction of Data Protection Impact Assessments (DPIAs) to mitigate risks of processing sensitive data, and liability for data breaches.

The world is generating data at an exponentially increasing rate. Ninety percent of all existing data was created in the last two years. The availability and breadth of this data needs to prompt a fundamental rethink of how businesses manage user identity in the digital world. The use of identities can now be validated by using adaptive access which employs numerous risk analysis techniques.

Identity validation can be ascertained by checking things like the users device, IP address, and aspects of the users geo-graphic location. By learning a user’s identifying traits, adaptive access controls strengthens prevention, detects risks, and works invisibly to the user, thwarting attacks using compromised credentials.

The data necessary to achieve this degree of identity security is readily available but under the GDPR the collection and storage of personally identifiable information must be more carefully conducted.

The protections of the GDPR pose significant challenges for companies including steep fines for noncompliance. The regulation will take effect on May 25, 2018. Analyst firms are predicting that more than 50% of affected companies will not achieve full compliance by the end of 2018. The GDPR is also causing US-based businesses to rethink their European strategies. Chances are your company needs a plan of attack.

Business leaders need to act now to ensure they are compliant with the GDPR requirements by the 25th May. But where to start? Here are five practical steps that businesses of all sizes can follow to start the process:

1. Determine whether the GDPR applies to your business
   The GDPR applies to you if your organisation processes personal data for the offering of goods and services to the EU or monitors the behaviour of data subjects (citizens) within the EU.
2. Appoint a Data Protection Officer (DPO)
   Many organisations have created a broader role of a DPO to act as a pivotal guarantor of GDPR compliance. Their tasks can include informing employees of their data responsibilities, advising on impact assessments and ongoing performance, and cooperating with supervisory authorities. This is especially important if your business is a public body or conducts large-scale data processing activities.
3. Prioritise and demonstrate accountability in all data processing
   The GDPR puts a heavy emphasis on accountability. It’s not enough to adhere to the regulations, organisations must demonstrate an accountable approach and transparency in all decisions regarding data processing. There are two important qualifiers here. Firstly, this applies just as stringently to a business’ third party suppliers. Secondly, implied consent is no longer sufficient, data consent must be explicitly gathered and recorded.
4. Check which borders your business data crosses
   Under the GDPR personal data transfers are only allowed within the 28 EU member states and in select countries deemed to have an adequate level of cyber security. Business leaders should make sure that data protected under the GDPR is not leaving its jurisdiction.
5. Understand the new rights that citizens have over their data

By the end of May this year, citizens living under the umbrella of GDPR will have a set of brand new rights. Businesses need to be able to adequately accommodate these citizens’ rights should they choose to exercise them:

1. The right to be forgotten: the removal of inaccurate, inadequate, irrelevant or excessive information about them from online search engines
2. The right to data portability: the ability to obtain and reuse their personal data for their own purposes across different services
3. The right to be informed in the event of a data breach

Regardless of how prepared you are for it, the GDPR is coming. It is part of a trend in Europe of governments holding businesses to stricter standards and closely examining their role and responsibilities in safeguarding society. Dealing with regulations is a perennial challenge for businesses around the world, but the end goal of a safer environment for personal data is for the benefit of all.

This article originally appeared on February 23rd, 2018 on GDPR:REPORT