Many U.S. companies are updating their privacy policies this week. Here’s why:

(Richard Drew | The Associated Press) In this March 29, 2018, file photo the logo for Facebook appears on screens at the Nasdaq MarketSite in New York's Times Square. Many companies large and small are updating their privacy policies and service terms to comply with upcoming European Union rules governing data and privacy. In preparation for GDPR, Facebook in March updated its privacy controls in hopes of making them easier to find and understand.

The European Union’s General Data Protection Regulation, or GDPR, goes into effect on May 25. Is your company ready?

The objective of the regulation, which passed in 2016, is to simplify and consolidate rules that companies need to follow in order to protect their data and to return control to EU citizens and residents over their personal information.

Individuals in the EU will have the right to access or request that companies erase or migrate their data elsewhere. When asked, companies must prove to authorities that they have satisfactory policies and procedures in place to protect their data, or they will face huge fines. How huge? If your company’s not compliant, the fines could be as large as 20 million Euros (about $24 million) or four percent of your annual global revenue, whichever is higher.

The GDPR doesn’t apply to only big companies. Small businesses, nonprofits, research firms and solopreneurs — wherever they’re located — are also subject to these rules. All that needs to be proven is that the company sells or collects data from EU individuals.

The law is also confusing to many, so much so that some lawyers say it may even apply to U.S. citizens visiting Europe.

“A U.S. tourist who visits Germany for one day and returns to the U.S. has rights under the law if that person used [a service like] Facebook while on the trip,” Alex Stern, an attorney wrote on his firm’s blog. “Organizations may still be wildly underestimating the scope of the GDPR.”

Underestimating the scope is definitely a problem. According to a report issued last month by technology publisher CompTIA, only 52 percent of the 400 U.S. companies it surveyed said they’re either exploring the applicability of GDPR to their businesses, have determined it doesn’t affect them or are unsure. Of the firms that say they would be affected, only 13 percent thought they would be compliant — 35 percent said they aren’t there yet.

“Companies subject to the regulations are running a huge financial risk by failing to put a GDPR plan in place,” Todd Thibodeaux, CompTIA president and CEO said in a news release.