Most banks and financial services firms are certainly aware of the GDPR, but the level of compliance and focus on it varies across the industry. “There are inquiries about GDPR on information-sharing sites, such as ‘Have you done a risk assessment for GDPR?’” Jeff Patterson, executive vice president at ANB Bank, told the Cybersecurity Law Report, “but I don’t think a lot of the professional associations in the industry think it is a big risk at this point.” Is that a mistake? In this article, we discuss the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The second installment in the series will address specific compliance steps and identify common errors. The third article will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “Countdown to GDPR Enforcement: Final Steps and Looking Ahead” (May 16, 2018).