We are starting to approach the one-year anniversary of the European Union’s General Data Protection Regulation (GDPR) launch and, so far, most companies have been spared the worst the new law has to offer. Specifically, that would include fines up to €20 million or a whopping four percent of the prior year’s worldwide revenues, what the GRPR refers to as “worldwide turnover.” This is expected to change, however, as cases wend their way through the courts, precedents are set and the law matures.

The way companies are reacting varies depending their exposure. Obviously, EU-based companies have little choice but to have their houses already in order. Many already were somewhat compliant due to existing EU regulations. Companies outside of the EU that do business with EU citizens or with little presence on the continent have a choice: They can wait and see what happens as the GDPR winds its way through the courts and then decide if the cost of compliance is worth it or, as some already have, pull out of the EU market all together. Or, of course, they can take their chances that they will be just a tree in the forest, invisible to the regulators so long as they have no serious breaches. That approach potentially has serious flaws. Given that data privacy regulations are gaining steam all over the globe, neither of these options is considered a best practice by those advising firms about GDPR compliance.