Under the new legislations, organizations would be required to prove they undertake regular data protection audits and privacy impact assessments. Additionally, all private sector companies with more than 250 employees, all private sector companies whose core activities involve regular monitoring of individuals and all public authorities would be required to formally appoint a data protection officer (DPO).

"The data protection officer must be empowered by the organization to act as an independent assessor of its compliance with data protection laws and report to the board of directors in doing so," say Bäumer and Ostermann. "The E.U. regulation specifically requires the data protection officer to coordinate data protection by design and privacy impact assessment initiatives and to be responsible for data security initiatives generally. Responsibility for training staff is also mentioned as important. In short, the data protection officer must ensure that his or her organization has adopted good data governance policies and procedures."

The new legislation would also obligate organizations to notify data protection authorities of data breaches within 24 hours of discovering a breach, or to explain to authorities why it is not possible to provide full details of the breach.

To give teeth to the new legislation, the E.C. has proposed hefty fines for non-compliance. A provision would allow national supervisory authorities to send a warning letter for first offenses, but serious violations (like processing sensitive data without an individual's consent) would allow those supervisory authorities to impose penalties of up to ¬1 million or up to 2 percent of a company's global annual turnover.

Bäumer and Ostermann recommended a number of steps that organizations can take to prepare themselves for compliance with the new regulations.