Those four small letters could have a huge effect on Britain’s businesses and organisations.
It has the potential to unnerve, unhinge and unspool those that do not take data protection seriously enough.
And according to last week’s report from the Information Commissioner's Office (ICO), it could be the public sector that will feel it most fiercely (it is currently the least compliant, according to the report).
But what is it really about?
In short, as of next May a data breach will not just mean a whole heap of embarrassment and reputational loss for Britain’s businesses and organisations.
It will also constitute a whopping great fine, and I mean whopping – 20 million euros (£17.5m) or 4 per cent of turnover, whichever is greater. Blimey. To put this in context, the current fine is £500,000 – so that is quite a rise.
At present, those feeling the pain most are the public authorities, because they are the ones most often in trouble as the report highlighted, but this kind of penalty could be a game changer for many major organisations.
No doubt the very real threat to the green will mean that chief technology officers will be all over this like never before, but in my opinion it is still not being taken seriously enough by Britain’s reputation chiefs.
As part of the compliance, an organisation will have just 72 hours to report a breach to the regulator and its customers.
There will be no option of working out a plan on the quiet. As well as dealing with the reputational threat, there will also be the very real financial threat that will demand attention.
So what can they do about it? As with all potential crises, it is about the preparation.
Sure, they need to ensure that their data is locked up tight, but beyond that they need to prepare for the worst because hackers are, frankly, damn smart and even the most tight ship can be breached if the will is there.
But here is the thing: Being able to show the regulator that an organisation planned properly (in terms of comms as well as IT infrastructure) could result in the fine being considerably reduced.
So now I have got your attention. Anticipating, preparing for and having a robust plan of action could make all the difference if the worst happens.
It will help keep heads cool in a time of panic, but beyond that will also make those conversations with the regulator way easier when they are determining fates.
The ICO’s latest report is not easy reading, but perhaps it is the first of many wake-up calls for those that are yet to truly appreciate what GDPR could actually mean, reputationally as well financially.
So if you are a comms director, it is definitely something you should be thinking about.
Put simply, we need to shift gears and start focusing on the PR in GDPR.
Gerry Hopkinson is the co-founder of Unity