The 25th of December will carry extra significance this year, with the day marking five months until the European Union\u2019s (EU) new data regulations come into force.\nWhile we are not recommending that those who process and manage data spend their Christmas locked up in a room devising a plan of how their business is going to comply with General Data Protection Regulation (GDPR), it is of utmost importance that you consider how your organisation is going to meet the requirements sooner rather than later.\nThe consequences for businesses of not meeting the new regulations are severe, with a fine of up to 4% of their annual global turnover or \u20ac20 million, whichever is greater. Businesses should also be aware that Brexit will not save them from having to comply with the requirements, as the UK government has already committed to introducing GDPR into UK law when the Brexit process is formally completed. Businesses with customers from EU regions would have had to comply with GDPR anyway, regardless of whether it was introduced into UK law.\nIn short, GDPR gives the following rights to individuals over their personal data:\n\nThe right to be informed\nThe right of access\nThe right of rectification\nThe right to erase\nThe right to restrict processing\nThe right to data portability\nThe right to object\nRights in relation to automated decision making and profiling\n\n[Information available from Information Commissioners Office (ICO)]\nFor large businesses, the issue of data management is covered in parts by their ERP system, which along with their CRM system, holds huge amounts of personal customer data, a term that will be expanded under GDPR to include information such as IP addresses, user ID\u2019s and location data.\nA lot of the rights outlined above by the ICO can be met by simply adopting a default culture of responsible data management within your business, a culture that relies on those tasked with processing and managing data always referring to best practice procedures. Sizeable businesses may find they would benefit from hiring a Data Protection Officer, whose sole role it would be to ensure data compliance. The cost of hiring a member of staff would be far less than the potential fine for non-compliance.\nThe right that poses most problems for businesses, particularly in relation to their ERP system, is the one that stipulates that individuals have the right to be forgotten. Regardless of whether the information is stored in a large enterprise management system, or an office filing cabinet, businesses must be able to prove that every record of an individual\u2019s data has been completely wiped. A tricky process and one that some businesses may not be fully confident they can complete with 100% certainty.\nLocating and erasing personal data within an ERP system may not be as straightforward as many businesses would like to imagine it is, with the likelihood being that personal data will be stored in a whole host of different tables and areas, meaning the process of finding the data is likely to prove time-consuming to say the least.\nWith GDPR though, time is of the essence when it comes to locating an individual\u2019s personal data. This is because GDPR now gives business only a month from the request date to present the data to the individual, a decrease in 10 days from the current allotted time-frame. Those businesses that have had substantial customisation work done on their ERP system may find the new timescale challenging. Businesses may find it beneficial to run a test in the months leading up to GDPR of how quickly they can locate an individual\u2019s data from within their ERP software. At the very least, businesses should draw up a plan of how they intend to go about the process.\nAdd in that businesses must now receive positive opt-in consent from individuals, record their consent processes, receive parental consent for those under 16, as well as meet a whole host of other requirements, then it becomes clear that GDPR is an issue that businesses must start to plan and adjust for as soon as possible.