EU General Data Protection Regulation (GDPR) comes into force today, and less than one-third of UK businesses feel they are ready to comply with the new rules.
That is according to a survey of companies by software firm Apricorn, finding that almost one in ten still regard the regulation as a mere box-ticking exercise.
This is despite businesses facing fines of up to 20m (£17.7m) or 4% of global turnover if they fail to comply, along with reputational damage and lost customers.
"We continue to see a huge amount of confusion among organisations as to what to prioritise in order to tackle the regulation," Apricorn EMEA managing director, Jon Fielding, said.
"By now, all employees, from the top down, should have an understanding of the importance of GDPR and the role they play in keeping this data safe."
GDPR is designed to give better protection for citizens by harmonising data privacy laws across Europe, and applies to all firms that do business inside the EU.
The Apricorn research found that a lack of understanding about the data they collect and process is the number one concern for half of companies that know the regulation applies to them.
It was also found that almost four in ten think they are likely to breach the rules because of gaps in employee training, with nearly a quarter saying their staff don't understand GDPR responsibilities.
Despite this, 44% of UK businesses believe the new regulation is a welcome opportunity to overhaul their data handling and security processes.
The most common action firms have taken so far is to update and review their mobile working, with 67% doing so, although this is still a concern for 30% of businesses, while 22% are concerned about encryption.
In line with this, 98% of companies recognise that they will need to continue investment in policy, people and technology even after today's deadline has passed.
"The best form of defence is to make sure everything you have is as locked down as possible and all PII is encrypted in transit and at rest," Fielding continued.
"Organisations should research, identify and mandate corporate-standard encrypted devices and educate employees on their use to avoid the risk of a breach and being fined for non-compliance."