Spring is here, finally, after a long and drawn-out winter. For most of us that\u2019s great news, but some cybersecurity professionals may instead be overcome with a sense of dread. Why? Because the European Union\u2019s General Data Protection Regulation (GDPR) becomes law in a matter of days.Actually, it looks like more than just a few security leaders are experiencing a sinking feeling in the pit of their stomachs right about now. According to Crowd Research Partners\u2019 2018 GDPR Compliance Report, only 40 percent of organizations are either GDPR compliant or well on their way to reaching compliance by the May 25 deadline. The research firm attributes a lack of GDPR expertise and an overall underestimation of the effort required to meet the regulation as the culprits.If your organization doesn\u2019t find itself among the compliant, you might be mired in, what Deborah Hurley, a faculty member in the Brown University Executive Master in Cybersecurity (EMCS) program, refers to as one of the seven stages of GDPR. The following is a condensed version of how she describes these stages in a recent EMCS Podcast. (Perhaps they sound or feel familiar.)\u00a0Stage 1: Shock and disbeliefThe GDPR was adopted in 2016 with a two-year implementation window so that governments could get their legislation in order and companies could get to work on compliance. But even with a two-year warning, many companies are still either stunned with disbelief or in a state of full-on shock.Fueling this problem is the fact that many U.S. companies don\u2019t understand the full scope of the GDPR. Often, you\u2019ll hear leaders say that they don\u2019t have offices in the EU, therefore they aren\u2019t affected by the regulation. But the scope of the GDPR is quite broad; it applies to companies with business operations in an EU member country, but also to those that offer goods and services to EU residents \u2013 even if they\u2019re free. Take, for example, a website that gives information about horoscopes and collects visitors\u2019 information; the GDPR applies to that site if any of those visitors live in an EU member country. If your organization collects information \u2013 personal data and even behavioral data (where visitors click on a web page, how long they stay on a page, etc.) \u2013 about a resident of an EU country, then the GDPR applies to you.Stage 2: DenialDespite this rather straightforward definition of which companies are affected by the GDPR, many remain in a state of denial. They think that regulators will go after the big fish \u2013 companies like Facebook and Google \u2013 because the penalties that those organizations would pay are much more substantial. The GDPR penalty for noncompliance or violation is 4 percent of the organization\u2019s global turnover or 20 million euros, whichever is larger. So yes, that makes Facebook and Google interesting targets. But it doesn\u2019t mean regulators won\u2019t bother with the rest.And it\u2019s not just fines that regulators can impose. They can stop the processing of personal data, if they find an organization is in violation of the law. They can stop the transfer of personal data outside of the EU to a third country. And they can also stop business operations or bring lawsuits against violators. So they have a whole suite of enforcement abilities at their disposal.Still, many companies opt to simply decide that they are, in fact, compliant and ignore all reasoning and rationale. Instead of working through these stages of GDPR to arrive at a positive outcome, they\u2019re sticking their heads in the sand.Stage 3: PainIn this stage, as the shock wears off and denial gets old, companies start to wonder what they did to deserve such misery. They ask almost existential questions about the GDPR: Why is it being enforced? Does it have to apply to us? Do these regulators know how much it\u2019s going to cost us to become compliant? Is this some sort of sick joke?Stage 4: AngerThe noncompliant become defiant during this stage. Executives wonder aloud, \u201cWho does the EU think they are? They can\u2019t tell me what we can and can\u2019t do with information that we collect!\u201d Well, unfortunately, they can.Stage 5: BargainingThe noncompliant might also start to make bargains with higher forces that they know they can\u2019t adhere to, like \u201cJust let us be compliant and we\u2019ll stop postponing our data governance initiatives!\u201d Or they might think \u201cWe\u2019ll just get our consultants to do it all!\u201d Neither approach constitutes a compliance strategy.Stage 6: DepressionAs it begins to sink in with the noncompliant that they can\u2019t change their status overnight, there\u2019s a feeling of hopelessness. And this feeling is fed by irrational thoughts that make the problem seem worse than it is. People think \u201cWow, this is unlike any regulation we\u2019ve ever seen before, how will we deal with it?\u201d When, in fact, it didn't come from nowhere. The GDPR is actually part of a continuum of legislation to protect personal data and privacy that's been going on for more than 40 years. So, it\u2019s an incremental amendment to a global trend, rather than something altogether different, and it's important for people to realize that. It adds perspective.Stage 7: Acceptance and hopeOnce organizations have hit rock bottom, they may be able to begin to turn around and realize it\u2019s time to assess and rebuild. By taking a good, hard, honest look at whether their organizations are affected by the GDPR, they can start to get a handle on compliance. Understanding the penalties that they might be up against and weighing them against the cost and effort required to become complaint, is also helpful. Then they can begin mapping out a plan.Professor Hurley\u2019s excellent encapsulation of GDPR helps us think about GDPR from the standpoint of a familiar model.In brief, these are the steps to meeting the GDPR technical requirements:Perform initial readiness assessmentsCreate a data mapping inventoryPerform privacy and data protection impact assessmentsAddress website tracking notification and consentPut in place mechanisms for users to easily request personal dataThere\u2019s a lot to consider and forging a path to GDPR compliance takes more than technology know-how. It requires an understanding of policy and legal issues, customer relations, human behavior, and other factors. And it requires cybersecurity leaders working together with their executives to come up with a plan. But it beats sticking your head in the sand.