With such a broad mandate, and severe penalties for noncompliance, Clawson warns that organizations should be prepared not only to hire a DPO, but a staff to help the DPO carry out his or her duties.

"The implication is there's a staff behind this person," he says. "Right now it looks like they're going to impose a whole bunch of controls that are apparently going to be legislated with a whole bunch of penalties. There's going to be some layer of staff that goes with that on top of the technology purchases and the documentation required."

The new data protection laws have yet to take final shape, and most sources agree they won't be implemented any sooner than 2014. But Clawson says that shouldn't stop organizations from beginning their planning now. He suggests two steps organizations that do business in the E.U. can take right now to prepare.

"You've got to be watching what's echoing through the chambers in the E.U. and what you're hearing about possible changes in legislation," he says. "And you should begin looking at the strongest examples of data protection laws that currently exist within the E.U., like Germany and France, and try to measure yourself against those. I can't imagine it gets much worse than that."