Article 35, impact assessments: Companies must conduct data protection impact assessments to identify risks to EU citizens. Those assessments also must describe how the company is addressing those risks.
Articles 37, 38 and 39, data protection officers: Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. Companies required to have a DPO process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. The International Association for Privacy Professionals (IAPP) estimates that 28,000 DPO roles will need to be filled.
Article 50, international companies: International companies that collect or process EU citizen data must comply with the GDPR.
Article 83, penalties: Companies may be fined up to €20 million or 4 percent of global annual turnover, whichever is higher.
Sign up for CIO Asia eNewsletters.