We are days from the implementation of the EU General Data Protection Regulation, the most significant international development in data privacy law for more than two decades - and surveys are showing that a vast majority of businesses remain unprepared.

For businesses outside Europe, the issue is particularly acute. Local lawyers may be unfamiliar with the extra-territorial reach of GDPR, but ignorance will be no defence. Legislation that has an effect beyond a country’s borders is not new: the US FCPA, UK Bribery Act and many export control and sanctions regulations have long had a broad and widely-enforced reach. 

Organisations involved in collecting data from or sharing data with Europe need to be particularly aware of GDPR - it applies to companies offering goods or services to EU residents or monitoring their behaviour (including by way of online profiling). Equally, we are seeing an indirect impact as European companies impose higher data security and privacy standards on their international business partners. 

GDPR will bring higher sanctions and heavier scrutiny on data governance - and everybody needs to be ready.