With the increasing frequency of data breaches and the headlines dominated by user privacy scandals, rising consumer outrage has compelled governments around the world to take steps to protect their citizens from negligent practices by companies within and outside of their borders. But have the tough new rules been effective? And is your company prepared for the complicated and potentially expensive changes that have to be made? Now the task list of every online CEO includes ensuring their organization stays abreast of and compliant with a multitude of emerging global data privacy regulations and ensuring they meet these regulations. The consequences of failing to do so could include crippling fines, prolonged entanglement with the justice systems of faraway countries, and the wrath of angry consumers.

It’s been almost a year and a half since the European Union’s GDPR went into effect. Even though the legislation was publicized for two years in advance of its launch, many companies and organizations were still caught flat-footed. In just one example, British Airways is currently facing a $230 million fine over data breaches, enforced under the new rules.

Hundreds of thousands of EU residents have reported companies for noncompliance with GDPR, according to an enforcement tracker maintained by a European law firm. As a result of these complaints, hundreds of businesses have been fined. You might be tempted to assume that GDPR is all talk and not much action—until you learn that these cases are heard through the various European jurisdictions operating under GDPR and are subject to the same delays and trial lengths as civil litigation and criminal enforcement. The message from the GDPR policy team is simply: Fasten your seatbelts! There’s more to come.

On Jan. 1, 2020, California will roll out its own version of the GDPR, entitled the California Consumer Privacy Act (CCPA). Any global business that exceeds $25 million in revenue online, which serves consumers in California, will need to comply with CCPA. It’s the first state to bring legislation to the table but will soon be joined by a long list of others rolling out a consumer privacy law—with reports that federal privacy legislation is also in the works. With other countries around the world in Asia and Latin America joining the fray, it’s clear that practically every jurisdiction will have something to say about how their citizens’ data is handled—with staggering consequences for failure.

For these reasons, we can expect to see more and more demand for privacy- and security-oriented roles like chief privacy officers, data protection officers, and chief information security officers whose sole jobs are to be aware of new and pending legislation, and to be planning changes to systems and services to ensure that their organizations remain compliant

For any business that sells online, the best advice is that now is the time to start putting process, people, and technology in place so that your organization is prepared to rapidly respond to any new legislation that may affect your market presence:

Be aware

As anyone caught speeding through a school zone has likely been told, ignorance of the law is no excuse. If you sell online, your obligation is to keep abreast of all regulations affecting your users by state, country, or other jurisdictions and to understand what their requirements are. Understanding that many of these apply extraterritorially is crucial to ascertaining your liability