U.S. firms that think they’re immune to the requirements of the EU’s new General Data Protection Rule (GDPR) may have a surprise coming: they may be among the first targets of EU regulators when the law takes effect, according to a panel of security and policy experts.

U.S. firms will almost certainly be in the sights of EU regulators come May, 2018, when GDPR provisions governing the protection of customer and employee data take effect, said Ari Schwartz, the Managing Director of Cybersecurity Services at Venable, and former special assistant to the President and Senior Director for Cybersecurity in the Obama Administration.

“Will they target US companies? Yes,” Schwartz said at a roundtable discussion of GDPR in Boston on November 28.

Other experts agreed, saying that US companies with a high profile in the EU but lax data protection practices could be among the first targets, especially in light of major breaches at US firms like Equifax and Uber that also have large footprints in the EU.

Regulators may set their sights on a few, prominent US firms to make an example of them, said Marc French, the Chief Trust Officer at the firm Mimecast. Enforcement actions are unlikely in May, when the law takes effect, but could come before the end of 2018, he said.

Schwartz agreed, saying that EU regulators would likely start by targeting “a few companies” and that US firms would do well to start ramping up their data privacy protections in advance of the May, 2018 deadline.

Unlike the EU, the United States lacks a comprehensive federal data protection law. Instead, companies must comply with 48 state data protection and breach disclosure laws, as well as a range of industry and sector-specific laws like HIPAA (for health data) and the Payment Card Industry Data Security Standard (PCI DSS).

But data security and data privacy - the focus of GDPR - are different problems and require different skill sets, experts noted. And privacy is an area that US firms are uniquely unprepared to address.

“I’d say zero percent of people are ready (for GDPR),” Schwartz said.

For example, HIPAA, the US health data privacy law, is concerned with providing notice and consent around the use and transmission of private health information (PHI). It does not address the security and protection of data flows and data access, the primary concern of GDPR, said Schwartz.

US firms have also been the source of some of the globe’s top data breaches. That includes Silicon Valley firms like Yahoo and Uber, as well as data brokers like Equifax. No US regulator has direct responsibility over data security and privacy, leaving it to agencies like the Federal Trade Commission and states Attorneys General to act as de-facto data privacy regulators. But penalties for violations have been small, especially compared to what GDPR will bring to the table.

In just one example, New York Attorney General Eric Schneiderman fined Hilton $700,000 for two data breaches that affected over 300,000 people. The company was cited for the breach and for failing to notify regulators for nine months after the discovery of the incident internally - both infractions under New York State law as well as GDPR. However, the same fine under GDPR would be in the neighborhood of $420 million (or 4% of Hilton revenue from the year prior to the breach) rather than $700,000.

In recent years, US firms have amassed huge amounts of data on customers that they are now bound to protect, said Chris Wysopal, the Chief Technology Officer at Veracode. That includes data - such as IP addresses and email addresses - that have not traditionally been considered personally identifying, but now will be under GDPR’s expansive guidelines.

Notification of regulators following a breach will be among the most challenging provisions of the EU GDPR. The EU law requires notification of a breach within 72 hours, a window experts said was very narrow and would likely result in a wave of provisional disclosures from large and small organizations.

Beyond that, firms will need to invest heavily in both application security and technologies that can track data flows within an organization, said Wysopal. “Applications are the gateways to sensitive information,” he said. Organizations often have little understanding of where and how sensitive data might be exposed to hackers and the outside world - including data transmitted by applications “in the clear,” or customer data that might be doing double-time as test data development systems.

Andrew Smith, a senior research analyst at IDC said that most firms are assuming that GDPR compliance won’t be “binary,” and that there will be time to transition to the new data privacy regime, including stages of compliance and milestones.

GDPR guidance due out this month will help clarify some questions about what companies need to do to comply, said French. Companies would do well to study that guidance and start preparing for GDPR sooner rather than later!

Paul Roberts is Editor in Chief and Publisher of The Security Ledger and the founder of The Security of Things Forum.