CIOs and other IT pros should not fear the new European data protection rules that are set to take effect on May 25\u2014just a few months away.\nSure, the European Union\u2019s \u00a0new General Data Protection Regulation (GDPR) has sparked a ton of work and challenges to tackle but, to torture the words of Samuel Johnson, nothing concentrates the mind like a good crisis.\u00a0 And a challenge it has been, some might even say a crisis, \u00a0for the many, many companies that collect, store, process, and use customer and other personal data. Urgency spurs action.\nGenerally, the rules give European individuals more say over what happens with their data than the EU\u2019s current data protection provisions. In some cases, individuals can also rescind access to their data as needed and move their personal information from one repository to another. GDPR basically takes the \u201cthe right of erasure\u201d, also commonly known as the \u201cright to be forgotten,\u201d to a new level. So, if you do not want your personal information \u201cout there\u201d you have more options when it comes to websites, social media and others handling your data.\nIt also clarifies what constitutes personal data in that it recognizes that online identifiers such an IP address, could potentially identify individuals.\nWith that in mind, here is a reminder of some things CIOs may want to think about as the May 25 deadline approaches.\nFirst, the basics: This may be a European regulation, but it broadly applies to any company that collects data on even one customer or client in Europe. So that means virtually everybody.\nSecond, there will be penalties for non-compliance, potentially significant penalties. As in, failure to comply with GDPR could potentially cost a company up to 4 percent of its global annual revenue or 20 million Euros, (about $24.5 million) whichever is greater.\nDid I mention focus? A 4 percent fine could mean the difference between profit and loss for the bulk of the world\u2019s retailers.\nEmployee data counts\nNow for some of the less talked about aspects of GDPR.\nFirst, most of the noise thus far has been around the real and potential impact of these rules on consumer-oriented companies like Facebook, Google and Adroll, which offers ad-targeting services. But don\u2019t forget that business-to-business companies also store a ton of personal information about their own employees, contractors, and partners.\nThis is something Constellation Research analyst Holger Mueller says must be hammered home to any company with a human resources department (i.e., all of them.)\nAll of that personal data needs to be safeguarded.\nBut things are not always black and white here. GDPR is awash in nuance. For example:\u00a0 When it comes to hiring and recruiting there is a gray area between consumer and employee data. \u201cOnce someone applies for a job on a web site, the lines blur,\u201d Mueller says.\nIn addition, while GDPR lists requirements for erasing personal data, for example when it\u2019s no longer needed, it also enumerates several exceptions to those rules, which are described in \u201cThe GDPR Guy\u201d blog and podcasts.\nThere will be times when legal requirements demand that some data, even data a person may want removed, must be retained, for example. No one said this would be easy.\nMost everyone can agree that a person\u2019s social security number, home address, birth date, is personal data, but GDPR raises the prospect that an IP address, even a dynamic IP address, of a person\u2019s PC can be considered personal information.\nBeware of personal data stashes\nFor many companies, the biggest risk is not necessarily in their centralized systems, it\u2019s the myriad spreadsheets and word processing files that sit on personal computers or workgroup file servers. The very popular tools that led the PC revolution could now pose one of the thorniest issues in data security.\nCurt Monash, president of Monash Research, summed it up: \u201cAlways remember\u2014Excel is a data store, and it\u2019s usually one of the least secure ones.\u201d\nSpeaking recently at an Oracle conference in New York, Mark Frissora, CEO of Caesars Entertainment, said up till recently, his company relied on 2,000 spreadsheets to close its books but has since moved all of that work to a more centralized accounting system. That\u2019s about 2,000 less points of vulnerability. [Disclosure: I am an Oracle employee.]\nSome experts say even in the wake of the massive Sony data breach three years ago, in which a spreadsheet holding salary information of thousands of Deloitte consultants was exposed, some companies are still struggling to get a good handle of what data is out there somewhere on their network. Now would be a very good time for them to look into data loss prevention technology because ignorance is definitely not bliss in this case.\nThis is not a knock on spreadsheets. It\u2019s just that the same applications that give end users so much power often end up creating a hairball for those tasked with keeping data secure. And the issue is magnified if users don\u2019t keep their software up to date and patched.\nPrep but don\u2019t panic\nThose who study up on the GDPR\u2019s data security rules, say one problem is that what most people refer to as a set of rules, is really more of a framework with lots of wiggle room and not a ton of prescriptive detail.\nIn general, the idea is to make companies assess their vulnerabilities and make good faith efforts to mitigate them.\nAnd those scary fines? Many security pros acknowledge the prospect is sobering, but also present an opportunity for companies to embrace security and mitigate their risk exposure.