AEG Vice President of IT in Europe David Jones has to protect data at an array of entertainment venues across the continent, including the O2 in London, the AccorHotels Arena in Paris, the Ericsson Globe in Stockholm and the Mercedes-Benz Arena in Berlin.
His primary concerns about GDPR are over the clarity of guidelines and interpretations of the regulators, although his work in the stricter privacy regime of Germany means his company is likely better prepared than most.
"The reality is probably that many organisations aren't anywhere near where they should be," he says. "I think one of the big challenges with GDPR is there's probably quite a big lack of clarity about actually what the regulations will really mean in day-to-day life.
"We've got complexity, we've got businesses in three European countries. And of course the benefit of GDPR is that all those businesses will then be conforming to one common set of standards. The reality of course is it won't be like that because each regulator will interpret things slightly differently.
"To a certain extent we're already dealing with some of the GDPR themes in Germany, because Germany's just been ahead of the game on this one, particularly with things like marketing consent."
He hopes that greater clarity will develop when the Information Commissioner's Office (ICO) issues its first fines for breaches.
"I think we're all hoping the ICO will go after the likes of Google and Facebook first rather than smaller organisations, and that will help set some sort of case law," he says.
Read next: AEG CIO David Jones interview - Digital innovation and live disruption