Little more than two months have passed since the General Data Protection Regulation took effect, but the chief legal officer of a worldwide analytics and data management software company has already had some noteworthy surprises.

John Boswell, executive vice president and chief legal officer of the SAS Institute Inc., which is based outside Raleigh, North Carolina, said he spent six years preparing for the arrival of the GDPR, a sprawling new privacy and security law that applies to companies that process the personal data of people living in the European Union.

“It cost us millions of dollars in time and effort and energy,” Boswell said, noting that failure to comply with the new regulations could result in a fine of 4 percent of a company's worldwide revenue. For SAS, which has customers in 147 countries and reported $3.24 billion in revenue last year, such a fine would amount to more than $120 million.

Secret Shoppers

In the weeks after the GDPR was unleashed on May 25, Boswell wanted to test employees' readiness. He asked other lawyers at SAS to have their spouses or assistants call an SAS office and, posing as European citizens, request their personal data under the GDPR.