When the EU General Data Protection Regulation (GDPR) was finally agreed in April 2016, it seemed a long time until it would apply. However, as time races on, many companies are finding that there is a lot (for some, too much) to do.

The GDPR will apply automatically across all Member States from 25 May 2018. That includes the UK, notwithstanding Brexit. It will replace the 1995 EU Data Protection Directive. The GDPR is an ambitious piece of legislation which took over four years to agree. One of the key aims was to create a harmonised approach to data protection across the EU, with bolstered rights for individuals in this age of rapid technological advances.

The GDPR sets a high standard for personal data protection throughout the EU, imposes a raft of new (sometimes onerous) obligations on those handling the data, and also provides for a much more punitive enforcement regime. Given the scale of the task, many businesses have been working towards compliance for some time. However, various studies have shown that significant numbers of companies have not yet taken meaningful steps to prepare.