If you’re like most business leaders, according to a recent survey conducted by Ernst & Young, the privacy compliance elephant in the room should no longer be ignored.

As we previously discussed, the General Data Protection Regulation (GDPR) will take effect in May 2018, significantly changing how companies may collect and use personal data about web users in Europe. Although the May deadline is rapidly approaching and the penalties for GDPR violations—up to the greater of 4% of the company’s global revenue or 20 million Euros—are by no means trivial, it seems that executives around the world are perfecting their ostrich impersonations. Survey findings include that only one-third of respondents have GDPR compliance plans in place. In the Americas and the Asia Pacific, where less than 15% of respondents indicated their GDPR readiness, procrastination is astoundingly acute.

But there’s still time, and helpful resources are available. The first step is to pull heads out of the sand. Once you are ready to take notice and take stock, recommended diligence includes the following:

  • Conducting an assessment of personal data processing, storage, use, and disclosure
  • Reviewing consents from data subjects
  • Identifying international data flows
  • Reviewing and updating security and response procedures
  • Determining whether a data protection officer should be appointed
  • Reviewing agreements with data processors
  • Conducting a privacy impact assessment (ideally on a legally privileged basis)

After these initial preparations have been made, companies can rely on their adaptive instincts and rise to the occasion.