GDPR is looming and is causing headaches for many companies, not just small businesses either.  Some experts believe GDPR could cripple a small or midsize organisation for non-compliance. Just the cost of making sure of compliance can be too much for small businesses and many are not ready.

GDPR, which was approved by the European Union Parliament, covers all EU citizens and people whose data is stored in the EU, regardless of whether the company that collects the data is based in Europe. If a company detects a serious breach, it is required to notify affected individuals and regulators within 72 hours. It also expands the parameters of personally identifiable user information and raises the bar for companies to process that information. Failure to comply risks fines of up to 20 million euros or 4% of annual global revenue.

Many remain uncertain about compliance with the rules that go into effect May 28, and the sizeable costs to get in line with these rules could force substantial changes to companies’ cloud architectures.

Besides the confusion about how audits will be handled and lack of clarity around responsibilities, companies are least prepared for the cost of GDPR compliance requirements.

Some of the details of GDPR rules and responsibilities must still be hashed out, according to Daniele Catteddu, CTO for the Cloud Security Alliance, a non-profit advocate for cloud security best practices. “I don’t think any, or at least very few, companies are going to be ready,” she said.

A survey released this month by the alliance, which counts AWS and Microsoft among its members, found 83% of companies said they do not feel very prepared for GDPR, 31% have a well-defined plan for compliance, and more than 10% lack any defined GDPR plan.

Many companies, although aware of the pending regulations, have been slow to prepare and shocked by the price tag, said David Linthicum, chief cloud strategy officer at Deloitte Digital. “What needs to be done is going to be very labour-intensive and very costly for a company doing business in Europe,” Linthicum said.

Deloitte estimated companies that do business in the EU will pay an additional 10% to 15% in compliance costs under GDPR. For the Global 2000, the EU is too huge a market to leave, but some smaller companies may abandon the market or anonymise users’ data to avoid collecting any personally identifiable information, Linthicum said. He said he’s also watching to see if the EU backs down on the requirements to make it cheaper, of if they’ll stand pat regardless of the outcomes if businesses pull out of the EU.

Because companies that are found to be in violation of the GDPR face those fines of €20 million or 4% of global revenues (whichever is greater), some firms that rely on sensitive data are treading in uncertain waters and subsequently this has led to some companies leaving Europe.

The GDPR contributed to location data company Verve closing its operations in Europe, reported The Drum. In March, cross-device vendor Drawbridge yanked its ad business out of Europe. And in January another cross-device specialist, Tapad ended its media services  and pivoted its business to resemble a customer data platform, which is a tech category that is banking on the GDPR  by focusing exclusively on first-party data.

Even the most powerful players in the ad industry are having to tweak their functionalities to adjust to the GDPR. Facebook is beginning to ask users to agree to its new data policies and review their ad preferences. Some industry observers believe the adjustments Facebook is making around the GDPR will fundamentally change how ad targeting works  in its platform

While the GDPR could shake up the marketing tech industry if regulators decide to strictly enforce the law, few companies are completely ready for the upcoming rule changes. According to a November 2017 survey of IT professionals in North America by data modelling company Erwin, just 6% of respondents were completely prepared for the GDPR.

What makes preparing for the GDPR particularly difficult is that people’s interpretations of how the law will be enforced vary widely, and it is expensive to become compliant with the new laws.

Half of the companies in a Forrester Consulting and Evidon survey spent at least $1 million to meet GDPR requirements. For some marketing tech companies that run on personal data, it makes more sense to pull their business out of Europe and see how this whole thing plays out.