Despite ample time to prepare and numerous compliance tools made available by trade organizations like the IAB, the GDPR compliance deadline of May 25th is barely a month away and, according to a new report by Crowd Research Partners, the majority of businesses are on track to fail the law’s privacy standards.

Of the 531 organizations surveyed, only 7 percent claimed to be in full compliance with the law. A full 60 percent admitted that they are likely to be in breach of the law by the GDPR compliance deadline, and close to a third have not even started the compliance process.

“While this is an improvement over last year’s survey results, where only 5 percent indicated compliance readiness, it is still an alarmingly low number,” the report reads.

The majority of companies—53 percent—see the “right to be forgotten,” allowing data subjects to request their information be deleted from company servers at any time, as their largest concern.

Several organizations have announced working on tools to help companies comply with consumer data requests, including, unsurprisingly, one that takes advantage of the blockchain. However, external tools aren’t enough—the law mandates that data protection measures be “baked in” to a company’s processing operations from the bottom up.

Part of this unpreparedness may stem from ignorance of the law itself. While 80 percent claimed that GDPR compliance is one of their organization’s top priorities, only half attested to having significant knowledge of the law, and a quarter admitted to having either limited familiarity or no knowledge at all.

For those making efforts to comply, lack of staff and resources represent a major burden to meeting the GDPR compliance deadline. Forty-three percent of respondents claimed that they do not have employees with the necessary skills to get them on track to comply with the law, and 40 percent do not have the money they need to make necessary changes.

For most companies, complying with GDPR in time will not be a close call: 53 percent of those surveyed expected to need six or more months to fully follow the law. A full 26 percent of companies will need two or more years to get their affairs fully in order.

The penalties for violating provisions of GDPR can be as much as €20 million or 4 percent of global revenue for the year, whichever is higher.

See our rundown of the law and what it means for you here.