This article by Alex Wall was originally published on the Compliance & Ethics Blog. Click here to view the original version of this article.

In May of 2018, Europe’s General Data Protection Regulation (“GDPR”) will take effect throughout the European Union. While this may seem far off, the work ahead of companies dealing in international data exchange is substantial, and the clock is already ticking.

This broad legislation will set data protection standards for the EU and brings with it significant consequences for companies that engage in the trade of information and commerce across the Atlantic and the globe. The GDPR is pushing a sea change in international privacy law as countries work to reduce compliance risk on transborder data transfers from the EU by rolling out legislation designed to be “adequate” under EU law.

The sweeping legislation changes are accompanied by very real consequences. A new driver behind the flurry of compliance activities among companies with business in Europe is the possibility that fines that could reach four percent of global annual revenue for an entire conglomerate. To understand the risk exposure, companies are gearing up to prepare for GDPR, and many are in the process of assessing their compliance with the upcoming regulation in light of the potential maximum exposure.

Surveys Indicate Companies Are Lacking in Preparation and Confidence

In a Dell-sponsored global survey of large companies with more than 10 percent of their customers in Europe, only one in three companies are prepared for GDPR today, and 97 percent don’t have a plan to prepare for GDPR.

Just within the UK, France, and Germany, 91 percent of respondents to a State of European Data Privacy Survey from Symantec expressed concerns about the ability to comply, but only 22 percent prioritize compliance in the next two years. Kevin Isaac, SVP at Symantec, expressed his thoughts that companies are underprepared and under-preparing: “There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation—if firms take immediate action.”

In a Baker & McKenzie report comprising the results of a survey of privacy professionals at the IAPP Global Privacy Summit 2016, 80 percent of the respondents felt they understood the major requirements of the GDPR, and 84 percent anticipated GDPR would impact their organization–but nearly half of respondents indicated they don’t have the tools to ensure compliance, or could only purchase the needed tools at significant cost. In fact, around 70 percent of the respondents anticipated additional budget or effort will be needed to comply with the new requirements by investing in tools.

Preparing for GDPR by Implementing Automation in Incident Response Today

Companies using automation tools in incident response for HIPAA, GLBA, and state breach law compliance today are already reducing risk exposure, saving time, and preparing staff and systems for the GDPR.

Click here to continue reading on the Compliance & Ethics Blog.