A new study on enterprises’ readiness for the European Union’s General Data Protection Regulation has revealed that an overwhelming number of U.S. companies are totally unprepared for the legislation, which is due to come into effect next year.

When it comes into force on May 25, 2018, the GDPR will force companies to enact greater privacy controls over how EU residents’ data can be used. The law applies to all residents of the EU, and also covers their data if it’s used outside the EU for any purpose. Companies that violate GDPR could be subject to fines amounting to 4 percent of their annual revenue, or €20 million, whichever is greater.

However, it seems that most companies in the U.S. are likely to violate the GDPR if they don’t take action soon. Spiceworks Inc., a free help desk, network monitoring and information technology community that did the study, said that although most IT pros it surveyed were in favor of GDPR, the vast majority were not actively preparing for their organizations to achieve compliance. In fact, just 5 percent of U.S. firms indicated that they’ve begun preparing for compliance, compared with 40 percent in the U.K. and 28 percent in the rest of the EU.

In addition, Spiceworks’ study shows that just 2 percent of IT professionals in the U.S. believe their companies are “fully prepared” for GDPR, compared with 5 percent in the U.K. and 2 percent in the EU.

As to why companies are not prepared, Spiceworks said most faced a lack of resources and information on the steps needed to comply. However, in the U.S., some 43 percent of firms also indicated that they don’t believe GDPR will impact their organization, compared to just three percent in the U.K. and nine percent in the rest of the EU.

“Some organizations, particularly in the U.S., believe they’ll be exempt from the EU-centric regulations and potential fines, but a massive knowledge gap still exists around how GDPR will impact businesses,” said Peter Tsai, senior technology analyst at Spiceworks. “Considering GDPR impacts every organization in the world that collects data on EU residents, many IT departments might have to scramble next year to comply with the regulation if they incorrectly assume GDPR doesn’t apply to them.”

Those efforts are likely to be complicated however. Spiceworks found that over a third of IT professionals said the steps to achieve GDPR compliance are “unclear,” while others said their organization’s management failed to understand the impact of the regulations. In addition, a majority of respondents said they believe GDPR will increase complexity, make their jobs more difficult and require significant training.

“No matter if you live in the U.S. or the EU, it’s important to at least start researching how GDPR may (or may not) apply to your organization,” said Brian Sandison, a network and server technician based in Scotland. “IT departments have a duty to ensure management understands the requirements and implications of these regulations so they’re not caught off guard. Because if a company disregards the regulations and gets fined, the blame will more than likely be placed on the IT team.”

Spiceworks said it quizzed 779 IT professionals from small to medium-sized businesses and enterprises in the U.S., U.K. and the rest of the EU for its study.

Main image: Tomkie sFastyne/Flickr