Earlier this week, Facebook announced it is rolling out a new privacy center to help the company comply with Europe’s GDPR regulation that comes into effect in just four months. The company’s announcement comes just ahead of next week’s Data Privacy Day, and is a reminder of how slow U.S. companies have been in preparing for the May 25 compliance deadline.

Many companies have taken little note of GDPR, believing it only affects companies in the European Union — or perhaps waiting for big fish like Facebook or Google to make a move first before investing in big audits of their own data. To be clear: If you’re part of a U.S. company that handles personal information of EU citizens, the GDPR applies to you. Failing to comply will result in significant penalties of up to €20 million or four percent of a company’s global revenue, whichever is greater.

GDPR is a team effort, and everyone within an organization has a responsibility to protect data and understand the main points of the GDPR. So, whether you’re a board member, C-suite executive, or part of the legal, IT, or security teams at your company, here’s what you need to know. The clock is ticking.

The players: Roles and departments

While GDPR is a team effort, effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. There are three key players to GDPR compliance that every organization should be aware of:

  • The Controller: This person or office determines the purpose, conditions, and means of processing data, but they don’t actually do the…