On May 4th the European Parliament published the final text of the General Data Protection Regulation (GDPR), and the rules of the game have significantly changed. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider.