By Julia Fioretti and Samantha Koester
BRUSSELS (Reuters) - Businesses, regulators and governments have just over 100 days to get ready for the biggest shake-up of personal data privacy rules since the birth of the internet, the European Union executive said on Wednesday, in a reminder of how much work still needs to be done.
Agreed over two years ago, the General Data Protection Regulation (GDPR) enters into force on May 25 and gives members of the public more control over how their data is used as well as requiring businesses to report data breaches within 72 hours.
It drastically increases the penalties for non-compliance, which can go as far as 4 percent of global annual turnover or 20 million euros ($25 million), whichever is higher.
"We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfill their roles in the preparations for the big day," said Vera Jourova, EU Justice Commissioner.
The European Commission released guidance for governments, businesses and regulators to prepare for the new law and noted that only two member states had adopted the relevant national legislation.
It noted that while large companies "are actively preparing for the application of the new rules, many SMEs (small- and medium-sized businesses) are not yet fully aware of the forthcoming data protection rules."
Facebook's Chief Operating Officer Sheryl Sandberg said on Tuesday that the social media giant would make it easier for users to manage their data by bringing all the core privacy settings into one place.
"Some companies still haven't really understood the amount of changes that are required because of GDPR or they still think it doesn't really apply to them," said Monika Kuschewsky, a partner at law firm Squire Patton Boggs.
"That's especially a problem with non-EU headquartered companies that are not in the consumer-facing data business. They are underestimating the sea change that GDPR brings about."
The GDPR will apply to any company offering services in the EU, regardless of where it is headquartered.
(Reporting by Julia Fioretti; Editing by Hugh Lawson)