The EU's General Data Protection Regulation (GDPR) is giving marketers ad tech anxiety.

Many marketers worry that they risk getting fined if they work with vendors who aren’t compliant with the GDPR, which stipulates that user data can be used only if a company has explicit permission from the individual. In a June survey of 255 marketers worldwide conducted by Demandbase and Demand Metric, just one-fifth of respondents were not concerned about their tech vendors putting them at risk of violating the GDPR.

Companies found to be in violation of the GDPR face a fine of €20 million ($22.1 million) or 4% of global revenues (whichever is greater). While the potential fines are worrisome, it’s not like the surveyed marketers were in a full-on panic. About six in 10 were slightly or somewhat concerned about their vendors exposing them to legal risks. Just 9% were extremely concerned.

The survey’s results allude to how the GDPR is creating logistical hurdles for marketers. Many feel that it’s not enough to merely have their own data in check. It’s also necessary to get their tech partners aligned with the law. But this is not an easy task to pull off because, unlike marketers, vendors often do not have direct relationships with consumers.

In June, TrustArc and Dimensional Research surveyed 600 IT and legal professionals in the US, UK and EU on the state of their companies' GDPR compliance. Just 13% said that their vendor risk management programs were fully compliant.