Enterprise companies only have a few months left to comply with the General Data Protection Regulation. A new study reports many organizations still have a long ways to go to comply with the new privacy protection rules.

A recent report from WatchGuard Technologies reveals companies are barely prepared for the European Union’s General Data Protection Regulation (GDPR).

According to a recent survey of 1,600 organizations, 37 percent responded saying they don’t know if their organization has to follow the strict requirements of the GDPR.

The GDPR, which takes full effect on May 25, 2018, requires every company that processes the personally identifiable information of EU citizens to implement and follow a firm set of structural and technical measures to better control and protect that data. The rules call for numerous requirements, including the mandatory notification of data breaches to data subjects, and the right of customers and employees to know whether their personal data is being processed, what that data is, and for what purpose.

Failure to comply with the GDPR could result in warning letters, regular data protection audits, or more severe repercussions such as paying fines as high as 20 million euros (about $24 million) or 4 percent of that organization’s global annual turnover, whichever is greater.

It’s also important to note the GDPR has a global reach. If your organization in the United States or elsewhere happens to deal with the personal data of an EU citizen, you must comply with the GDPR or risk the penalties.

Back to the report, of the 37 percent of companies surveyed, around 14 percent said they do collect the personal information of EU citizens. 28 percent said they weren’t sure if they collect EU citizen data. Meanwhile, only 10 percent of organizations surveyed said they believe they were completely compliant with the GDPR. Around 44 percent—nearly half—said they don’t know if they’re close to compliance or not.

This isn’t much of a surprise considering many organizations are reactive rather than proactive. Too many companies choose to wait when a new law comes to pass, to see how it pans out before they’re forced to make important decisions that could affect the outcome of their organization’s overall wellbeing. That would be a mistake.

Your company could wait and live in “willful ignorance” or be proactive and take the necessary steps to ensure full compliance with the GDPR’s requirements before the approaching deadline in a few months. One thing your company must realize is that customers are no longer ignorant of cyber security issues. Data breaches and companies’ widespread disregard of the safety of personally identifiable information is in the news almost every day now. Consumers now understand their data must be held safely, and it’s the responsibility of large organizations to protect that information, regardless of the costs involved.

The GDPR may seem like a lot of work and effort, but with the current state of cybersecurity attacks and data breaches, these requirements are quickly becoming industry best practices for the safe handling and management of data. In other words, companies should be making these changes anyway, new legislation or not.

Further Read:

It’s the Final Countdown … to GDPR