The European Union’s General Data Protection Regulation (GDPR) will be enforceable on May 25, 2018, with consequences for global businesses far broader than those of the decades-old European Data Protection Directive it replaces. The GDPR will have a vast reach, applying not only to E.U. companies that process personal data, but also non-E.U. companies that process personal data in connection with offering goods and services to individuals in the E.U. It will likewise apply to companies, regardless of location, that process data in the course of monitoring or profiling individuals in the E.U. In this guest article, Kiran Raj, Mallory Jensen and Sara Zdeb, attorneys at O’Melveny & Myers, discuss five key steps companies should take now to ensure compliance with the GDPR’s transformative requirements, avoid significant penalties, and improve their overall data-management practices. See also “A Discussion With Ireland’s Data Protection Commissioner Helen Dixon About GDPR Compliance Strategies (Part One of Two)” (Mar. 22, 2017); Part Two (Apr. 5, 2017).