When it comes to complying with the EU's General Data Protection Regulation (GDPR), some tasks are easier than others.

In June, TrustArc and Dimensional Research surveyed 600 IT and legal professionals in the US, UK and EU on the state of their companies' GDPR compliance. About a quarter of respondents said their new data policies and procedures and cookie management protocols are fully compliant with the new regulations, which stipulate that user data can be used only if a company has explicit permission from the individual. But just 13% said that their vendor risk management programs were GDPR compliant.

Complying with GDPR is a multifaceted undertaking that involves companies getting permission for various things, such as user tracking and data transfers. As the effects of the law begin to unravel, ad buyers, publishers and tech firms have accused each other of passing the buck when it comes to obtaining user consent.

What’s made some ad industry insiders skittish is the idea that they risk getting fined for violating the GDPR if they work with vendors who aren’t compliant with the new regulation. And while marketers may have direct relationships with their consumers, their third-party vendors don’t, which adds another layer to their compliance.

There are frameworks for getting tech vendors aligned with the GDPR. One developed by the Interactive Advertising Bureau (IAB) is picking up steam now that Google committed to it. The GDPR has yet to lead to massive fines, but it has caused several marketing tech companies to pivot their business models and pull out of Europe.