Risk managers can reduce their firms’ potential liabilities by guiding their information technology departments on how to comply with the European Union’s General Data Protection Regulation, including its challenging right-to-be-forgotten provision, say experts.

The GDPR, which became effective May 25, applies to U.S. companies that operate in the European Union or provide goods and services there and have any EU-based employees regardless of whether they are EU citizens.

The regulation broadens the scope of what is considered personal data, and companies can be fined up to 4% of annual revenue or €20 million ($23.9 million), whichever is greater, for the more serious breaches. Among its other significant provisions is that individuals have the “right to be forgotten” and their personal data erased.

It is still early insofar as determining the level of GDPR enforcement by regulators, say observers.

“I think we’re all still learning as to what GDPR will actually lead to in terms of enforcement and the fines and penalties or liability that’s levied against our potential insureds,” said Marcin Weryk, New York-based head of cyber-West and South at Axa XL, a unit of Axa SA.

“Many of the U.S. companies, I would say, are not in compliance, or have not taken it maybe as seriously” as non-U.S. companies have, said Mr. Weryk.

Giampaolo Scarso, Milan, Italy-based head of client advisory services for brokerage Marsh International, said larger companies are “far more prepared than the smaller ones.”

Annmarie Giblin, New York-based senior counselor for cyber liability with Chubb Ltd., said, “Cyber risk and the privacy concerns that the GDPR does regulate is a common theme that does run through most companies risk profiles overall, and the regulatory burden is only increasing with respect to those issues.”

Marek Stanislawski, deputy global head of cyber and tech professional liability for Allianz Global Corporate & Specialty SE, who is based in Stockholm, said, “Companies are in a good position in that there have already been privacy regulations enforced in the U.S., so they do have a lot of mechanisms in place that are now being required by the GDPR. It’s just a matter of assuring” whether the way they are approaching things should be adjusted, he said.

“For some organizations, it’s going to be rather expensive” to comply with the GDPR, however, including the cost of retaining and hiring top talent such as privacy professionals and attorneys, said Dannie Combs, Chicago-based chief information security officer for Donnelley Financial Solutions Inc.

Mr. Weryk said the key is for risk managers to hold discussions with their firms’ business units as well as their information technology departments “and have an understanding of what information actually is collected, and what is being done with that information,” and if “any technology needs to be put in place to allow for the appropriate use, collection and destruction of that data.”

Those who do business in Europe should conduct “a fairly detailed review” of their data operations, said Richard May, Seattle-based managing principal for Integro Ltd.

The GDPR introduces basic privacy rights, and a company’s software “may or may not have been designed with the ability to limit or change data collection,” so there may be “substantial development costs involved,” he said.

The first step companies should undergo is data mapping and identifying where they are managing data, which takes some time, Mr. Scarso said. “It becomes hard at the very beginning to get a picture of the current situation,” he said.

The next step is data minimization, said Mr. Scarso. “You should keep only the data that’s strictly necessary for your business.”

The third is data cancellation, creating and implementing effective and efficient processes and procedures “to immediately know how to deal with data that needs to be canceled or eliminated” because the client is asking for it, or because it no longer needs to be kept. The final step is data protection, which includes encryption, Mr. Scarso said.

“Stop sending spreadsheets,” said Michael Hiskey, New York-based chief strategy officer for Semarchy Inc., a data management firm. When these are sent by email, “you’re opening up all sorts of exposure to personal data,” if it is hacked. Instead, send links to a corporate network to which access can be controlled, he said.

The right to be forgotten is the most challenging of the GDPR’s requirements, say experts.

“Erase really means erase,” said Mr. Hiskey. The GDPR is “very clear,“ he said. “That data has to be gone. All those files have to be blank. You have to delete them, unless there’s some other legal requirement to keep them.”

Mr. Hiskey added this provision is “exceedingly tricky” because “some of that data sits with downstream processors,” and can be in many different systems “and it’s not well correlated.”