Little more than two months have passed since the General Data Protection Regulation took effect, but the chief legal officer of a worldwide analytics and data management software company has already had some noteworthy surprises.

John Boswell, executive vice president and chief legal officer of the SAS Institute Inc., which is based outside Raleigh, North Carolina, said he spent six years preparing for the arrival of the GDPR, a sprawling new privacy and security law that applies to companies that process the personal data of people living in the European Union.