In my job, I’m in contact with a lot of different kinds of organizations, and the dialogue is both focused around information security in general – and GDPR of course!
Few topics have been as popular and persistent as GDPR this past year, and there is no indication, or reason, why that would decrease as we approach May of 2018. The question that I think is the most frequent one is: “But we won’t be able to make it in time, what will happen then?”
This is a tricky question as it involves assessment of how the supervisory authorities will behave come May, since there are no legal precedent decisions as of yet. However, the majority of the community involved in compliance issues seem in agreement about the standpoint that if you have started working on fulfilling the requirements of the regulation, documented it thoroughly, and you have a plan in place that you are following – you will be less likely to be subject to sanctions.
The supervisory authorities know, as well as anyone, that not all organizations will be able to reach 100% compliance by May, so presumably they will focus on making sure that you can demonstrate that you are actively working on getting there.
However, keep in mind that this is, although based on experience and probability, just speculation. The GDPR will be implemented as law in all member states and, as we all know, laws must be followed, but we also know that the supervisory authorities in most member states will not have the resources to enforce the law by May 2018 either. The popular opinion is that they will leave some margin for delay, but probably under the condition that you can present an actual plan.
So, in conclusion, if you want my most important recommendation about your GDPR projects it would be: Start now, get help, define a plan for addressing all eventual gaps and make sure that you follow it!