U.S. accounting firms beware: The European Union’s new data privacy regulations may apply to you, too.

The General Data Protection Regulation, which took effect May 25, regulates how companies process personal data. Companies that reside in the EU, serve its residents, or monitor their behavior must comply. Potential violators could face a maximum penalty of 4 percent of global annual revenue or 20 million euros ($23.5 million), whichever is higher—steeper than under the EU’s 1995 Data Protection Directive.

For accounting firms, GDPR compliance isn’t a quick information technology fix. Firms may need to make system and personnel changes and must...