For example, the breach may have been limited to intellectual property, which is damaging to the company but not covered by GDPR.
"We might end up in a situation where organizations might report a GDPR breach just to be on the safe side," said Rashmi Knowles, CTO for EMEA at Bedford, Mass.-based RSA Security Inc..
And in addition to reporting to the relevant EU authorities, the company will also need to notify all the people who were affected, she said.
This is one of the hardest things that companies are having to deal with, she said.
Failing to comply can result in a fine of 20 million Euros or 4 percent of annual global revenues, whichever is higher.
"These fines are astronomical," said Dana Simberkoff, Chief Compliance and Risk Officer at Jersey City, NJ-based AvePoint Inc. "We haven't seen anything like this."
Companies that saw fines in the millions of dollars would have had to pay billions if the breaches occurred under GDPR, she said.
In a survey AvePoint conducted last year with the Center for Information Policy Leadership, the fines were the biggest concern for executives, she said.
Companies will need to take a very serious look at the data that they're collecting and how they're protecting it, monitoring it, and deleting it when it's no longer necessary.
"What we're advising people is to look at waht information your're asking for, that you actually need it, and have a business purpose for why you're asking for this information," said Mark Taylor, managing consultant at Germany-based NTT Security. "And if you don't need it, don't ask for it, don't collect it -- that's the safest way to behave."
For some firms, that might mean using more outside vendors to do the heavy lifting, use specialized data management and protection companies for whom this is their main area of expertise, or try to have their business partners take on the work.
"I definitely think that companies will do everything they can to shift liability off of themselves onto others," Simberkoff said.
A lot of cloud providers are already working on getting their services certified, she said. Using a vendor doesn't absolve the customer of responsibility, but if the provider has a solid platform then customers will feel confident putting their data there.
"Who's going to have a bigger security team, you or them?" she said. "It's a reasoned judgment that companies will make."
Many companies will also be looking for technologies that helps them evaluate the scope of their breaches, and vendors are already rolling out products.
CSPi, for example, offers appliances that track all access to sensitive data records.
Sign up for CIO Asia eNewsletters.