Some companies want to see how new European Union data privacy laws are enforced before spending a lot of money on compliance.

The EU’s General Data Protection Regulation is set to go into effect May 25, and recent surveys have shown varying levels of preparedness for companies in Europe and out. The law applies to companies that control or process EU residents’ data, and many businesses are scrambling toward compliance.

About 33 percent of companies required to comply with the GDPR know how they will meet a requirement to notify supervisory authorities within 72 hours of learning about a data breach, according to a May 2018 study of in-house counsel around the globe by the Association of Corporate Counsel Foundation. Thirty-eight percent of respondents said their company has not yet decided how to meet the breach requirement, and 29 percent aren’t sure if their company has determined this.

Similarly, on an incoming rule about individuals’ requests for companies to delete their data — popularly known as a right to be forgotten — 34 percent of in-house counsel said their company has established a process for complying. About 40 percent said their company has not created a process for responding to these customer requests, and 26 percent don’t know, according to the ACC Foundation report.

Companies are working to comply with not just these two requirements but the many others imposed by the looming GDPR. Some companies may be taking a “wait and see” approach to determine which aspects of the new law the EU regulators take on as enforcement priorities, attorneys told Bloomberg Law.

“No one yet knows what kind of behavior would trigger a big fine,” Philip Yannella, co-practice leader of Ballard Spahr LLP’s privacy and data security group, told Bloomberg Law. “A lot of companies are waiting to see how this all shakes out” and are standing by to see what kinds of companies and activities the EU regulators focus on with early enforcement actions, he said.

Many companies are “doing what they can” to be ready by May 25 given the risk of fines, but will not be fully compliant by that date, said Yannella, who contributed to the ACC Foundation report. Companies that violate the new law could be fined up to 20 million pounds ($26.9 million), or 4 percent of their annual revenue, whichever is greater.

Calculated Risk

Many companies have to decide “where and when to put their horsepower,” Robin Nunn, a partner with privacy and data security experience at Davis Wright Tremaine LLP in Washington, told Bloomberg Law.

Nunn, who also contributed to the ACC Foundation report, said the 72-hour breach notification and right-to-be-forgotten process requirements are “on the forefront of senior leaders’ minds in-house.”

“What’s difficult to comply with is going to depend on an organization’s business,” she said. On the whole, though, “every organization is going to have difficulty complying with these two provisions.”

Larger companies that comply with privacy laws globally and also ones that have previously been subject to EU regulation “had a head start” with implementing some of the GDPR requirements, Mary Blatch, the Association of Corporate Counsel’s director of public policy and advocacy, told Bloomberg Law. Newer companies without the infrastructure for dealing with consumer access requests and breach laws are going to need more time than others to comply, she said.

The ability to quickly respond to and notify of a data breach is a complex process, for example, as there are many variables that go into detecting a breach, Blatch said.

The right to erasure presents compliance headaches for U.S. companies because few have have ever needed procedures in place to deal with this, Yannella said. Many companies don’t know how they would respond to requests, the mechanism for assessing whether requests have to be honored, and what data has to be erased, he said, adding that companies are struggling with how to respond to other consumer access requests.

Other issues that companies are worried about include requirements for companies that use cookies to collect personal data or use to facilitate behavioral advertising, and an obligation for some to appoint a data protection officer, he said.