But many European businesses could be behind with their preparations. Symantec's State of European Data Privacy Survey, published Tuesday, found that 96 percent of companies do not fully understand the GDPR, based on an online survey of 900 business and I.T. decision makers in the U.K., France and Germany.
Of more concern, 23 percent said their organisation would not be fully compliant when the regulation comes into effect. Of this group, 20 percent felt it was not possible for their company to become fully compliant.
"Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design," said Peter Gooch, cyber risk partner at Deloitte, in a press release.
"They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements."
One big change in the new regulations will mean companies must ensure they have consent to use personal data.
"One of the big changes between the directive (on the protection of personal data) and the regulation is in the directive you could have implied consent," John said. "Now you have to get explicit consent for every use you make of personal data."
This could create issues for marketing companies, or firms looking to create new products like a loyalty scheme, as they will need explicit consent from European residents to use their personal data, even if they've already collected it.
"It's about giving power to the consumer… to know how their data is being used."
But the core purpose of the regulations, according to John, is to ensure good data governance and make sure that firms collect, manage and protect data appropriately.
"It's a real opportunity (for businesses) to do the things you should have always done," she added. "If you sort out knowing where your data is and what control you've got in your organisation, you'll probably get more value out of it and maybe won't keep stuff you don't need anymore."
Follow CNBC International on Twitter and Facebook.
Correction: This article has been updated to state that Sian John, chief strategist for EMEA at Symantec, believes that GDPR fines would not start at 20 million euros ($22 million).