The European Union and the United States have very different privacy regimes in place. While US privacy laws tend to be sector-or topic-specific (e.g., the Gramm-Leach-Bliley Act), the European Union has an overarching privacy law—the EU Directive 95/46/EC (the “EU Directive”). The EU Directive provides for various restrictions and requirements for the processing of EU personal data by all companies, regardless of sector, and gives EU data subjects certain rights with respect to their personal data. The new European General Data Protection Regulation (GDPR) will replace the EU Directive in May 2018. This article describes five things that a company should be doing to comply with the GDPR.