With less than two months to go, many companies still aren’t ready to meet the the requirements of the EU’s General Data Protection Regulation (GDPR).

That’s according to Janco Associates’ Security Manual Template, which includes a GDPR compliance checklist. Any U.S. organization that handles data belonging to EU citizens will be required to be compliant when the regulation comes into force on May 25. Noncompliance can trigger penalties totaling 4 percent of revenue, or a maximum of $22 million.

“We have reviewed the compliance plans of over 200 SMB enterprises and have found that 34 percent of the companies are not ready to meet the EU’s GDPR requirement,” said Janco CEO Victor Janulaitis. “Most say the GDPR requirements are very complex, not enough resources have been allocated and that many of the skills required to implement GDPR are in short supply. In any case, most feel they will comply by the latter half of 2018, well after the compliance deadline.”

Digital marketing firm Vizergy said the GDPR defines a few roles that are responsible for ensuring compliance. Mainly, the data controller, data processor and the data protection officer (DPO) will be responsible for compliance across an organization, it said.

The data controller defines how personal data is processed and the purposes for which it is processed. The controller also is responsible for making sure that outside contractors are in compliance.

Companies must provide a “reasonable” level of protection for personal information about EU citizens in EU states. Examples of personal information are name, home address, photo, an email address, bank details, posts on social networking websites, medical information, cookie data, race or ethnicity, political opinions, biometric data, or a computer’s IP address for geotargeting.

Vizergy offers the following tips for GDPR compliance: