GDPR will mean that companies like yours will need to take a fresh look at how you deal with personal data.
Most personal data will fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR will mean for example that:
Your company will need to be clear about getting consent to use a person’s data for just the specified purpose and not regard silence or inactivity as consent.
You may need to prepare to select a DPO for appointment, and your company may require a lot of training so that everyone understands basic compliance. This could mean that the kind of human error that could cause a data breach is minimised.
Your data security policies may need to be changed and the changes promoted across the company. You will also have to develop highly effective systems for monitoring for any data breaches. There will also be the need to design compliance into all data handling and processing systems, and could mean starting the analysis and thought process now to ensure that you are ready for 2018.
You will have to develop effective systems that ensure fresh consent is gained before you alter the way you use data, and that all data on a subject can be easily and quickly deleted on request.
If your company provides data processing services for anyone else’s personal data you will need to consider your liability and be compliant with the new EU regulations.
Only having to deal with one supervisory authority rather than a different one for each EU state should simplify things for businesses like yours, although EU citizens will still be able to register any complaints to the data protection authority of their choice.