Why does this topic matter to organisations?
Processing of personal data is lawful only if, and to the extent that, it is permitted under EU data protection law. If the controller does not have a lawful basis for a given data processing activity (and no exemption or derogation applies) then that activity is unlawful.
What types of organisations are most affected?
The nature of an organisation’s business, and the sector in which it operates, makes no difference to that organisation’s obligation to comply with EU data protection law. Hence, all types of organisations are affected.
What should organisations do to prepare?
Having a lawful basis for each processing activity is critical to an organisation’s ability to comply with EU data protection law. Therefore, organisations should: