Currently, we stand between two paradigms in the regulation and preservation of privacy.

The U.S., as host to some of the world’s biggest tech giants, like Google and Facebook, relies on a caveat emptor model when it comes to data collection where consumers tacitly consent to have their data harvested for commercial use. The European Union, with its General Data Protection Regulation (GDPR) policy set take effect, is advancing a different model that requires companies to get explicit consent from consumers before harvesting their personal data.

These two models directly contradict each other and raise a host of thorny questions with enormous implications, according to Kurt Long, CEO of data protection firm FairWarning, who recently sat down with Inside Counsel in an exclusive interview.

“This motion to implement GDPR is in response to corporations with headquarters in the U.S. who have treated the latest privacy rights as speed bumps in their way of profiting from data of citizens across the world,” he explained. “The European Union, which has fewer conflicts of interests with most U.S. companies, wants to bring control over personal data back to the hands of its citizens, not corporations.”

The U.S. caveat emptor model has enabled an entire generation of U.S.-headquartered companies that have built privacy assumptions into their business models that generate trillions of dollars. In fact, Google, Facebook and Amazon have amassed a fortune of nearly $2 trillion dollars for their shareholders alone. Other companies, like Equifax, sell information about consumers to third parties as another simple example as to how companies monetize user data. Although there are positives to this model such like the interconnectivity that platforms like Facebook provide, there have been massive drawbacks regarding loss of privacy.

Today, GDPR is a new law that changes the way organizations collect, store, and use personal data of EU citizens and gives control of personal data back to them. It not only impacts businesses in the EU, but any company that processes, stores, or transmits personal data of EU residents. GDPR will impose hefty fines on noncompliant organizations of up to £20 million ($26 million) or four percent of global annual turnover, whether they’re based in the EU or not, starting May 25. GDPR gives “data subjects” privacy rights in the digital world including consent, authorization, disclosure and notification, “right to know” and “information accuracy,” right to be forgotten, consequences and definition of breach.

So, how will the American tech giants adapt? Long explained, “To remain competitive, tech giants must implement privacy in the core design of their businesses to regain the trust of citizens both in the U.S. and the EU.”

Recently, European antitrust officials fined Google a record $2.7 billion for favoring some of its own services against competitors in search results. The ruling has further implications than just the sizeable fine. “This opens the conversation as to whether these organizations should be monitored and regulated for such activity. Tech companies will need to move towards transparency when it comes to the use of citizen data to rebuild their trust,” he said.

So, preparing for GDPR means gaining control of consumer data so they can fulfill users’ requests to when they exercise their rights. There are few steps companies must take to become GDPR compliant, per Long. First, they must conduct a risk assessment to get a comprehensive view of where their organization stands in relation to GDPR compliance. Companies must appoint a data protection officer to drive the vision their privacy posture and take ownership of communicating the new strategy. Second, they must identify and classify their current data, companies can’t adapt and govern their data if they don’t know where and what it is. It’s essential they know where their most sensitive data is located and implement a plan to safeguard it.

Third, companies must have insider threat detection and breach motivation. In fact, under Article 31 of GDPR, high risk-incidents of a data breach require notification of data subjects without delay. To detect and prevent such breaches, organizations need to install monitoring technology such as FairWarning for Cloud Security. And finally, they must create and document an incident response plan.

He added, “Set in place an incident response plan when a security incident does occur. Test and test again. As an organization grows and changes over time, it must update its IRP. Maintaining a current IRP is paramount for containing a security incident as opposed to it becoming a full-blown breach.”

Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.