For months it\u2019s been looming. Now, effectively, it\u2019s here. And only a scant few organizations are ready for the European Union\u2019s General Data Protection Regulation (GDPR).\nAs the GDPR compliance deadline goes into effect this month, just 11% of 700 organizations surveyed by ESG earlier this year said they were completely prepared, and only 33% said their incident response plan meet GDPR requirements. The potential fines for non-compliance (and breaches) are steep: 20 million euros or 4% of an organization\u2019s worldwide revenue, whichever is higher.\nIf you\u2019re struggling with GDPR compliance, fear not. There are specific steps you can take to catch up, reduce risk, and turn compliance into competitive advantage, according to a recent panel of experts who convened at Microsoft\u2019s headquarters.\nMitigating Risk\nThe GDPR provides an opportunity for organizations to get their data, security, and privacy house in order, says Elena Elkina, Co-founder and Partner of Aleada Consulting. Elkina advises clients to begin compliance exercises by understanding where data lives within their organization. \u201cIt\u2019s extremely important to know, before you even start with compliance, what data you collect, how you collect it, what you use it for, and where you store it,\u201d she says.\nThe next step: Document everything. \u201cMake sure you\u2019ve documented your processes and documented your data around the company,\u201d says Elkina. That way, even if you\u2019re not ready by the deadline, you can show regulators where you are in the process toward compliance.\nA Competitive Edge\nThe upside to GDPR compliance is the potential for competitive advantage. \u201cCompanies are using [GDPR] to tell their customers what they are doing about privacy and compliance,\u201d says Elkina. \u201cInstead of focusing on the negative aspect of non-compliance, they are sharing their maturity model, their roadmap, building trust, and making sure their customers are confident in their ability to comply with GDPR.\u201d\nPrivacy, in other words, is a business differentiator. \u201cIt\u2019s an enormous opportunity for innovation,\u201d says Elkina.\nDavid Kemp, EMEA Specialist Business Consultant with Micro Focus, says CIOs and CSOs can expect a return on investment with GDPR compliance. His firm conducts data discovery and finds that for most corporations, at least 30-40% of their data is irrelevant or obsolete. \u201cThey\u2019re spending a huge amount of money on storage and upkeep,\u201d he said. The data cleansing activities required with GDPR, therefore, creates an opportunity to clear out the clutter.\nGetting There\nKemp advises organizations to take a sequenced approach to compliance:\n\nGet senior management on board and create a steering committee.\nHave a data protection officer to comply with the legislation.\nGet legal on board to determine what the regulation means, and how it should be interpreted with your national law.\nDo data discovery to determine how big the problem is.\nDo a risk and gap analysis.\n\nIt\u2019s also important to understand that execution is not just about technology; it\u2019s about policy, procedure, and people.\nThe people piece is another side benefit to GDPR compliance. Compliance changes the culture of the company, says Elkina. People start thinking about privacy; they become champions. \u201cCulture is extremely important,\u201d she says. \u201cPrivacy is a social, a political, and an economic phenomenon.\u201d\nFor more on GDPR\u2019s expected effects on organizations, watch the webcast episode, GDPR Impact.