Only 29 per cent of European small business and 41 per cent of midsize businesses "have taken steps to prepare" for GDPR, according to IDC.
Among non-European SMBs, the share of prepared firms plummets to nine per cent among small firms and 20 percent of midsize companies.
Even worse, more than 20 per cent of small businesses in the UK and Germany "are not aware" of GDPR.
That's despite just a seven-week deadline before the EU's privacy legislation comes into force on 25 May.
IDC senior research analyst Carla La Croce said: "When looking at GDPR in western Europe, adoption is moving ahead as expected. Bigger companies move faster than smaller companies, and at a country level, Nordic countries are implementing GDPR faster than other western European countries.
GDPR compliance and implementation has been identified as the top security priority."
All firms doing business in the EU will fall under GDPR, regardless of where they are headquartered. It addresses the export of personal data outside the EU, and gives organisations more clarity over the legal environment in which they have to operate.
The EU claims that by making data protection law identical throughout member states, companies will make collective savings of €2.3bn (£2m) annually.
However, the potential penalties for failing to meet these requirements are severe: up to £17.5m or four per cent of annual revenues.
SMB research VP at IDC Raymond Boggs added: "As SMB around the world increasingly look to grow revenue by reaching out to new customers, the importance of global expansion increases.
"But so does the need for first-rate security and data protection, which is why GDPR compliance is important, not just to avoid fines, but to insure that vital customer information is secure and protected."
View pictures of all of last night's fights
Acquisitive comms provider swoops on Frontier Voice & Data and StoneHouse Logic
Cybersecurity firm rakes in £3.6m for unwanted unit
Results, reaction and pictures from last night's CRN Fight Night