Can you answer the 20 million euro question?

This post originally appeared on the Caserta Data Blog.

The new GDPR regulation will change the way organizations worldwide handle data.

Be honest with yourself for a just a moment. I’m going to ask you a few questions and if you can answer positively, then your organization is in good shape. If not, then this article is for you.

Download GDPR white paper>>

If Anna Schmidt, a customer from Berlin, would contact your organization and request to be forgotten and her data expunged, could you actually do it? Would you really know where all of her data is located in order to delete it? Most likely her data is found in multiple data sets across an organization and you may not even be aware of all of them. How could you afford Frau Schmidt the right to be forgotten, as granted in the GDPR, if you don’t know where all her data is in the first place?

GDPR protects people’s privacy.

The GDPR, or General Data Protection Regulation is a new set of laws that require organizations to protect the data and privacy of EU citizens. This affects companies both in the EU and those worldwide with data on EU citizens including employees, clients and prospects. Companies in the United States with users, like Anna Schmidt in Germany, would need to comply with the new regulation—and the penalties for not complying are severe.

Companies outside the EU that wish to continue to have data on EU citizens and do business with them will need to have a rep in the EU. According to the regulation: “Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”

GDPR requires that you allow people to exercise the right to be forgotten, but that’s not all. For all of your marketing campaigns and email lists can you clearly demonstrate “proof of consent” to be marketed to, which is stored in a way that makes it easy to access. What if Anna Schmidt says that she never consented to give you her data in the first place. Could you prove it?

GDPR compliance is not a trivial task.

Before Frau Schmidt wants to be forgotten by your firm, she may first want to see what information you have on her. Is your business able to package all of her data and transfer it to her on-demand? Not such a simple feat.

If you’re unsure of the status of any of the previous three questions you’re not ready for the GDPR and you’re not alone. Around 66% of businesses surveyed say they aren’t sure if they can erase a person’s data by the GDPR deadline, according to a survey by Solix Technologies.

Penalties for non-compliance are steep.

The deadline for organizations to comply with the new stringent GDPR privacy laws is May 25th 2018. What would happen, however, if a company doesn’t comply with the GDPR? After all, the regulations are pervasive into a company’s data and to comply through manually updating records would take years. An automated big data approach would help to properly tag and identify data in order to be compliant.

According to the GDPR, the penalty for not complying is a fine up to €20 million or 4% of global annual turnover—whichever is higher. Many organizations aren’t doing enough to prepare for the GDPR deadline. Until the EU starts fining companies, many may not take proper action. In order to avoid harsh penalties ahead, your organization needs to have a comprehensive data compliance strategy in place that answers the demands of the GDPR.