The European Union’s impending General Data Protection Regulation has been giving legal departments plenty of headaches, even though the new data security rules don’t go into effect for almost six months. With companies potentially looking at fines as steep as 4 percent of their annual global revenue and facing questions around whether to utilize privacy impact assessments or if there’s a need to appoint a data protection officer, for instance, there’s no doubt much to do ahead of the May 2018 deadline.

For all the planning, however, without proper employee training, these efforts may all be for naught, said Daniel Pepper, vice president and deputy general counsel of data and privacy at Comcast Corp., who spoke on a panel at ALM’s 2017 cyberSecure conference in New York.