The deadline to make sure your operations are General Data Protection Regulation (GDPR)-compliant is fast approaching. For CIOs, this could mean initiating massive overhauls of how their organizations collect, store and process the personal data of consumers. If you’re thinking, “GDPR doesn’t apply to me because my company is based in the U.S.,” think again. GDPR applies to any company that does business in the EU, and it’s likely the first in a trend of consumer data protection legislation.

Gartner predicts that by the end of 2018, over 50% of companies affected by the GDPR will not be fully compliant. It’s worth taking a closer look at what GDPR means for your business and seeking opportunity in the chaos.

What Is GDPR?

The EU’s General Data Protection Regulation will take effect on May 25, 2018. The regulation mandates that anyone handling EU consumer data must do so carefully and be able to demonstrate the measures they take to protect it. For example, this may include pseudonymization, anonymization and encryption. The goal of GDPR isn’t just compliance — it’s also to make sure organizations are held responsible in the event of a data breach. It’s also designed in the interest of consumer rights. When the regulation takes effect, EU consumers will have the right to get copies of their data, get information on how it’s being used and even to erase it.

Why is it so critical to get compliant? Your organization could be subject to massive fines, to the tune of 4% of an organization’s annual global turnover or up to $21.3 million, whichever is greater. So, if you are a global company, those fines could affect not just your European revenue but your overall revenue. Your organization may also lose the trust of the consumers they serve, especially in the event of a data breach.

Potential Pitfalls For Organizations

• They don’t know GDPR applies to them: GDPR applies to any company in or outside of the EU that processes or monitors personal data pertaining to EU citizens. If you only collect consumer data in the UK this might become a grey area in light of Brexit. However, it seems likely that the UK will uphold its commitment to the key tenants of GDPR. It still stands to benefit commercially from the harmonization of data and e-commerce practices.

It’s also important to take into consideration the way data flows across borders. Under GDPR, data transfers to any EU state will still be allowed because it’s viewed as secure. Transfers to European countries qualified as having “adequate” protections in place are still OK, too. Outside of these areas, binding corporate rules (BCRs) or EU model contracts will need to be used for transfers. According to a survey from PwC, Privacy Shield frameworks are the most popular solution for data transfers, as 77% of U.S. companies plan to use them for GDPR.