This article uses content pulled from a white paper produced by American Express Global Business Travel, APAC.

The countdown clock on the Global Data Protection Regulation (GDPR) website says it all: Time’s running out for companies to be in compliance with the EU’s new regulation designed to protect consumers’ personal data and how it’s used. The new law, which replaces a data privacy directive adopted more than 20 years ago, comes into force on May 25, 2018.

Not only companies based in EU member countries must comply with the new rules. Under Article 3 of the GDPR, any company in the world is subject to the new law if it processes personal data of an individual (aka “data subject”) who resides in the EU when the data is accessed. That applies to businesses that offer goods or services to EU citizens or monitor their behavior.

Firms of any size found to be noncompliant can be fined up to €20 million or 4 percent of its annual global turnover, whichever is higher.

To help companies avoid getting hit with a nasty penalty, here are some steps to take to work toward compliance.

Understand what “personal data” entails

To comply with the GDPR, it’s first important to understand what “personal data” actually means. Under the scope of the new regulation, personal data is any information that can directly or indirectly identify a data subject. In addition to information traditionally considered to be identifying (for example, a name, email address or passport number), GDPR clarifies that unique identifiers like IP address or a mobile device’s ID are also personal data.

Create a data inventory

After understanding what constitutes personal data, the next step is to create a complete and accurate data inventory that determines where personal data resides, how it’s secured and if it’s been obtained and being used meeting the GDPR guidelines.

Some questions to consider when compiling the information: How and why do you collect and store personal data? How long do you retain it? What security measures are in place to protect data? Do you have the necessary consents required by the GDPR and were data subjects informed of the specific purpose for which you’ll be using their data?

Demonstrate accountability

The principle of “accountability” is the most significant change under the GDPR. Companies mustn’t simply comply with the new law — they need to be able to prove compliance.

All regulated companies will have to maintain a written report with the details of all their data processing activities, known as a “record of processing.”

Companies working to become GDPR compliant should focus on developing a robust accountability framework that allows them to document, measure and communicate data processes, including keeping records of all personal data, proving consent was given by data subjects, showing what the data is being used for and how it’s being protected.

Ensure transparent data processing

Businesses also must ensure they are effectively and transparently communicating their data processing activities to data subjects. That includes having a complete, concise and easy-to-read privacy notice so consumers can understand how their data will be used.

The privacy notice also must describe how personal data may be transferred within the business, to third parties and to other jurisdictions, and how data subjects can exercise their rights.

In addition to a transparent privacy notice, GDPR requires that businesses make sure data subjects understand how their data is used by building privacy requirements into their products and services.

Keep international transfers compliant

Firms will need to understand the GDPR’s strict requirements around international transfers, especially for services like travel that cross borders. EU data must continue to be protected to an EU standard anywhere in the world where it is stored, accessed or processed, both within the business or shared with third-party processors.

Companies can achieve compliance through several mechanisms, including by adopting EU-approved Binding Corporate Rules or executing a set of EU Standard Contractual Clauses.

Appoint a data protection officer

Under the GDPR, many companies will need to appoint a data protection officer (DPO) who is responsible for overseeing the business’s data management systems and monitoring compliance with the GDPR. Some firms will outsource this role to a qualified external expert.

Effectively triaging data breaches

The new law also requires mandatory breach notifications when an individual’s data is compromised. The relevant country’s data protection regulator must be notified within 72 hours of the firm becoming aware of the breach. In some cases, the data subjects also must be informed.

To meet this obligation, businesses need to develop a system that lets them identify and prioritize potential breaches of privacy as well as triage complaints and reports.

Effectively manage data protection risk in the supply chain

Under the new regulation, companies also will need robust risk management processes in place for managing third-party relationships and assessing the risks to which they’re exposed.

Any business with European partners must understand its data protection obligations, especially any contractual obligations they apply to the way personal data is handled. European businesses will require its partners operating outside the EU to put new mechanisms in place to ensure any personal data transferred between them meets the GDPR’s requirements.

Partner with GDPR-ready suppliers

Businesses must have confidence that other firms to which they transfer personal data — including travel partners that handle sensitive data — also meet global privacy regulations.

Plus, as the only TMC that operates under Binding Corporate Rules, a European member state authority level certification privacy program that few companies in the world have achieved, privacy and data security are at the heart of everything we do.

To learn more about the GDPR and how to prepare, download our report by filling out the form below.