A year has now passed since GDPR took effect in the EU, ushering in the most sweeping data privacy protections in a generation and transforming the global marketing and tech space in ways both predictable and unforeseen.

As this anniversary fast approached, many of us started asking the same questions. What have we as digital marketers learned during this first year? How does that knowledge impact our work and inform our decision-making moving forward? What are the good, the bad—and yes, even the ugly—effects that have resulted from this epic standardization of data and privacy practices and transparency?

From my vantage point, I see four takeaways from GDPR’s first year, learnings for how these regulations have reshaped the business of digital marketing and insights on how they will continue to do so.

You’re probably busier since GDPR took effect, and it’ll likely stay that way

Heralding a clampdown on the handling of consumer information, GDPR has led to a wave of notifications, complaints and fines across the EU. According to the International Association of Privacy Professionals, data privacy officers in the last year have dealt with more than 280,000 total cases, 144,000 individual complaints, 89,000 data breach notifications and 440 cross-border cases. Meanwhile, GDPR enforcement has led to more than 56 million euros in fines.

Data has become an industry lifeblood, and the last thing any marketer should do now is taint its value by taking GDPR lightly.

And the work of DPOs is only expected to grow, with European Data Protection Board guidance expected over the next two years on issues including delisting, certification of codes of conduct and video surveillance.

All that work means, of course, that much more is needed on the part of digital marketers—a great deal more than was anticipated. Back in 2017, the IAPP projected that GDPR would create a market for some 75,000 DPOs worldwide. This past spring, a new study from the same group revealed that in those two years, an estimated 500,000 organizations, encompassing both the public and private sectors, had registered DPOs in the EU alone.

Make sure you have invested in the human resources to not only be GDPR-compliant but also to retain valuable talent that is properly educated on the issues at hand. Other companies that aren’t as diligent as yours will try to steal that talent away.

Infrastructure and products could still be lagging behind GDPR standards

There was so much written and discussed in the run-up to GDPR that surely every business was fully prepared on day one, right? Think again.

A year later, many companies are still woefully behind when it comes to meeting even basic GDPR requirements. In a recent test of the 100 most visited websites in the EU (excluding those operated by global giants like Google and Facebook), the data security firm ImmuniWeb found that 51% had missing or difficult to find privacy policies, while 78% were found to have nonconsensual or insecure usage of cookies handling sensitive or tracking data.

If your company hasn’t made the financial investment to make sure your technology and products are meeting the standards set forth by the EU, you could find yourself in a world of trouble.

GDPR’s impact on digital marketers is getting more significant

Much has been made of the EU levying large fines against global digital players over alleged transgressions regarding transparency, but it appears we may have seen but the tip of the iceberg.

As the firm Crowell Moring noted on its data law blog, all major U.S.-based digital media and marketing giants have, in fact, already found themselves in the crosshairs of European regulators. Their experiences will no doubt be instructive for the industry as a whole moving forward.

Any American company doing business in Europe (with or without a physical presence) that hasn’t already taken meaningful steps toward GDPR compliance runs a considerable risk of getting caught in violation. The EU means business on this matter.

Consumer consensus regarding GDPR is … to be determined

The demands of EU regulators and the readiness of companies to comply with those demands have certainly come into sharper focus over the last year. What’s less clear is what consumers think about it all. A recent survey of more than 1,100 people across the EU and the U.S. by HubSpot suggests that the public’s attention on GDPR has actually declined since the implementation of the regulations compared to the run-up.

The survey also revealed that fewer consumers think the guidelines have improved their interactions with companies. In addition, fewer people now expect companies to alter their behavior concerning their data than they did prior to GDPR’s implementation. The survey also found that fewer consumers overall are now less likely to opt out of companies collecting their personal data versus before GDPR took effect.

But just because consumers aren’t as interested in GDPR’s direct impact on their lives, it’s imperative that all companies continue to take the issue seriously. Data has become an industry lifeblood, and the last thing any marketer should do now is taint its value by taking GDPR lightly.

As GDPR evolves beyond the first-year transition phase, the regulations are sure to become a more ingrained reality of consumers’ lives as well as the business practices of digital marketers.