On May 25th 2018, the General Data Protection Regulation (GDPR) came into effect throughout the EU. This new data protection regulation should ensure a uniform data protection level for all citizens throughout the EU. For German companies, too, the new regulation requires action, since it gives rise to a range of new obligations. This means that as well as costing small and medium-sized businesses time and money to implement it, the GDPR brings about significant legal risks. However, at the same time, the change in the law should be seen as an opportunity to evaluate previous data protection measures in companies, make employees more aware of data protection requirements, and implement an effective data protection management system.