Organisations are running out of time to get ready for the biggest shakeup in European data protection rules for decades.

The European Union's new General Data Protection Regulation (GDPR) will become enforceable in May and will impact organisations across a wide range of industries and countries.

The potential consequences are severe: any business found in breach of the GDPR can be fined up to 4% of its annual revenue or €20m, whichever is greater.

Organisations must act now if they want to avoid potentially eye-watering fines. Here are some important facts about the GDPR and some top tips for helping your organisation to get GDPR ready.

Does the GDPR apply to your organisation?

The GDPR will apply to any organisation that is established in an European Economic Area (EEA) member state or a place where EEA member state law applies. It will additionally apply to any business that offers goods or services to consumers within EEA countries, or that is monitoring individuals within the EEA, such as by using internet browser cookies.

Will the GDPR still apply to UK-based organisations after Brexit?

Yes. The UK will still be a member of the EU when the GDPR takes effect, so the regulation will apply directly in the UK from May. In addition, the UK Government has specifically committed to keeping the GDPR post-Brexit, and will supplement it with a new Data Protection Act, which is currently in draft form.

Will the fines really be that severe?

Yes. In recent years, the Information Commissioner's Office (ICO) has shown itself to be ready and able to act against companies where marketing practices and data security breaches infringe the terms of the existing UK Data Protection Act. Carphone Warehouse was fined £400,000 in January 2018 for systemic failures to protect personal data of its customers and employees. Talktalk Telecom Group has been hit with fines totalling £500,000 in recent years. Under the GDPR, the ICO will be both enabled and motivated to impose stronger penalties.

But it's not just about the fines: sloppy handling of an individual's data will bring the threat of damaging litigation, while headlines about data loss or security breaches can hurt an organisation's reputation in the eyes of its customers, partners and employees.

Five tips for getting GDPR ready

1) Carry out an internal audit to assess what personal data your organisation is holding, how it is being used and with whom it is being shared. Personal data cannot be collected and processed without a lawful basis for doing so. 'Processing' has a very broad scope – essentially, anything you can do with data, short of dreaming about it.

2) Update your policies and privacy notices. While privacy notices have always been required, the GDPR includes a list of new information that must be included under the new 'right to be informed'. For example, a data controller must now make clear what lawful grounds it is using to process an individual's information, and how long the information is kept.

3) Consider where data protection risks are most likely to appear within your organisation. HR and marketing, for example, both routinely hold and process personal – and potentially sensitive (so-called 'special category') – information.

4) Review the security of your IT systems, including any devices that employees use to store information, such as USB sticks. But GDPR risks do not necessarily end at the firewall. Under the new regime, responsibility for data security may extend far beyond an organisation's perimeter and become a factor in arrangements with third parties, such as suppliers with which the organisation needs to share data.

5) Train your staff – all of them. Staff awareness is a crucial requirement of the new regulation. Research has also shown that 80% of all data breaches are down to human error.

Felicity Burling is an associate at Holman Fenwick Willan (HFW), which has launched an online training platform and mobile app to help organisations prepare for GDPR.