The EU regulations will affect global companies on May 25, 2018.

More than two years ago, the European Union passed sweeping user data protection measures. The General Data Protection Regulation (GDPR) will into effect on May 25, 2018 and is going to affect data controllers globally. Here’s what you need to know to prepare for the legislation.

The GDPR is designed to create firmer regulation of Europe’s data privacy laws, protect citizens, and change how companies approach data privacy. The Data Protection Directive (also known as Directive 95/46/EC) precedes the GDPR. The EU instituted Directive 95/46/EC in 1995. It was meant to regulate how data is collected and used, but was difficult for the EU to enforce.

Unlike a directive, a regulation goes into effect for all Member States on a specific date. Directives give Member States a goal but give those member states freedom on how and when they take measures to reach those goals.

The Data Protection Directive was non-binding, but GDPR standards will be binding and mandatory when it goes into effect. These regulations both strengthens and changes the guidelines provided by the Directive.

1. Extended Jurisdiction

One of the biggest changes is that the GDPR has an extended jurisdiction. This means that regulations will apply to all companies that handle data within the EU, rather than only countries that belong to the EU (including the United Kingdom and United States). The GDPR will affect any data handlers that offer services, monitor behavior, or offer goods to EU data subjects. The regulations also affect companies regardless of whether data subjects pay for the service.

2. Strict Punishment

The GDPR also implements increased fines for organizations who do not comply with regulations. The worst infringements can expect a fine valued at 4 percent of their annual global turnover or €20 million (just under $24.7 million USD), whichever is the greater sum. The legislation institutes a tiered penalty system. Regardless, infringement will mean a hefty price tag.

3. Clear Terms of Consent

The third major change is that companies are not permitted to use misleading terms of consent. The GDPR bars companies from couching terms of consent in difficult-to-understand language. If organizations are asking to use a person’s data, those terms must be accessible, and users must be easily able to withdraw consent.

4. New Security Protocol

In the event of a security breach, organizations must notify subjects of the incident without undue delay. The Data Protection Agency (DPA) also requires organizations to notify the DPA within 72 hours of the breach.

5. Right to Access

The legislation also grants right to access. Subjects have a right to know what personal data data controllers process. Additionally, data controllers must provide data to subjects for free upon request. Subjects can also request that controllers erase their data. This would force a controller delete personal data, end its dissemination, and in some cases, halt third-party data processing. Conditions for erasure include data no longer being relevant or a subject withdrawing consent.

6. Data Protection Officers

Under the GDPR, large companies or organizations must appoint Data Protection Officers. This mandatory appointment applies to companies that handle large quantities of data. Data Protection Officers will ensure that companies are complying with the GDPR and any other data privacy laws. They will also advise organizations and help them understand the regulations.

7. Privacy By Design

One of the main things legislators hope to institute under the GDPR is privacy by design. This means that data protections should be part of a site’s design at the outset, rather than included as an add-on feature.

Though these regulations present new challenges for companies, they may also present new opportunities. Companies who are able to use the GDPR as a way to demonstrate transparency in their practices may find that they build stronger relationships with their users.