Impending regulation is set to radically change data compliance as we know it, but few companies are ready.

Just 6% of firms are completely prepared for the European Union’s General Data Protection Regulation (GDPR), according to a November 2017 survey of IT professionals by data modeling company Erwin. The GDPR, which becomes enforceable in May, states that a consumer's data can only be used if they give a company explicit permission. Not being prepared for these new rules is a big risk, because companies that are found to be in violation of the GDPR face a fine of $24 million or 4% of annual sales, depending on which figure is higher.

One of the reasons more companies aren’t prepared for the GDPR is because it is expensive to become compliant with the new laws. Half of the companies in a Forrester Consulting and Evidon survey spent more than $1 million to meet GDPR requirements. And nearly a fifth of companies allocated more than $5 million for GDPR prep.

“Conducting a whole GDPR analysis on the companies you work with, and the companies that those companies work with, is a huge legal endeavor,” said Ratko Vidakovic, founder of ad tech consultancy AdProfs. Vidakovic said that within the ad industry, this type of legal analysis involves auditing dozens if not hundreds of companies, due to the complicated nature of the ad supply chain.

Another thing that makes GDPR preparation difficult is that people’s interpretations of the law vary widely, said Sean Blanchfield, CEO of PageFair, a company publishers use to avoid ad blockers.

For instance, PageFair is interpreting the law quite literally and approaching it as if regulators and the court system will drop the hammer on violators. But ad retargeting firms have taken a more laissez-faire approach and advocated that their web-browsing data doesn’t put them in the GDPR crosshairs. With so many different interpretations of the law out there, it is difficult for companies to properly understand the risks they face with GDPR, and therefore how to become aligned with it, Blanchfield said.

“Perhaps some companies are planning to model their strategy based on what others are doing,” Vidakovic said. “They may even wait to see how the law actually gets interpreted and enforced.”