Manual processes are no longer an option, he said.
It's not just online retailers who are affected. Take eSentire Inc., a managed security services provider based in Ontario, Canada.
"We have a data center in Ireland," said Eldon Sprickerhoff, the company's founder and chief security strategist.
That means that eSentire has information related to the employees who work there. And then there's the information it handles on behalf of its customers.
"We will be considered data processors under GDPR," he said.
So in addition to helping its customers get up to speed on the law, the company is also reexamining its own processes.
"We have a great idea of where data flow, we have a great idea of consent -- we've tightened up some of the language around that," he said. "But data subjects will also be able to request to be forgotten. How we work through some of the technical aspects can be significant -- there's a lot of data that could be considered personal data. We're trying to figure out what it means."
There are also a lot of edge cases that have to be worked out, he said, which should keep lawyers very happy for a long time.
Say, for example, a company is hacked by someone in Europe. Can you collect information about the hacker without their consent? The hacker, obviously, won't bother to comply with the regulations.
"There's asymmetric adherence to the law," he said. "This is one of those things that you discuss over bar stools with a couple of scotches."
Or take the case of international companies that have a single security operations center located outside of Europe.
"If a company's SOC is located in the U.S. and they are collecting data from offices in the EU, they can well be in violation of GDPR," said Israel Barak, CISO and incident response director at Boston-based Cybereason Inc. "Does it make sense, or even realistic, for most companies to potentially build 27 separate data collection and handling practices, for each of the 27 member counties? Probably not."
Sign up for CIO Asia eNewsletters.