The legislation seems poorly understood, which will lead to many organizations waiting until the first prosecution is underway before they react, said BeyondTrust security experts. Many US companies are waiting to see how GDPR plays out stateside, and the EU will look to make an example of a multinational that is out of compliance, said Malcolm Harkins, Cylance's chief security and trust officer.