With less than two months before the new European General Data Protection Regulation (GDPR) comes into force, concerns are growing that India’s leading IT firms are underprepared for the changes involved, with press reports this week claiming that “only a third” of the country’s providers are in line to be compliant by the May 25th deadline.

“Only 30%-35% of all IT/ITeS companies have started their journey to work towards GDPR compliance,” Jaspreet Singh, Cyber Security Partner at EY, told the Economic Times on Tuesday.

With fines for breaches of the new regulation potentially reaching four per cent of global turnover (and with data protection in the public eye as never before thanks to the ongoing Facebook/Cambridge Analytica scandal) the consequences of failure to observe GDPR are enormous – yet analysts are concerned that some Indian firms may not be taking their obligations seriously enough. Some observers are also highlighting the extra cost burden and its possible impact on current and future deals: NASSCOM chairman Raman Roy suggested Monday that “IT services providers will have to rework the contracts and they will see a cost increase. But the cost impact depends on the incremental work (due to GDPR compliance) that needs to be done.”

In an interview with the GSA, DLA Piper partner Kit Burden said that “there remains a huge amount of work to be done on GDPR; in fact, there is too much work now than could possibly be done in the time available. There are still organisations amazingly enough which are only now waking up to what needs to be done. Equally there are more savvy organisations which did realise that they needed to do something, who are still coming to terms with the sheer scale of how much that ‘something’ actually is, and are therefore still running up against the deadline in terms of completing all their remediation activities in time to be ready by May.”