GDPR Goes Live May 25: What Happens Next?

By Nigel Tozer

This blog was also published at

Here are my predictions for what will happen in a world when the General Data Protection Regulation (GDPR) is “live” – out in the wild so to speak. The European Union’s mythical caged dragon of GDPR is set loose to wreak havoc upon mere mortal humans and their humble businesses. Can you see what I’m doing here? A movie magnate was once purported to have said, “I want a movie that starts with an earthquake and then builds up to a climax.” I’m doing that sort of thing.

So what will happen on May 25? The honest answer, I suspect, is not much. A damp squib, by all accounts. Darn. Not much excitement after the earthquake, after all. A bit like when no one was affected at all when the clocks tipped past midnight and the world braced itself for the Y2K global disaster. That was very different, though, and once it was over, it was over. Not so with GDPR. It will rumble on for many years. So what can we expect to see?

  1. GDPR privacy protestors will bring companies to their knees:

Unfortunately, nothing this exciting will happen, but a few CxOs could find themselves more than a little annoyed.  From May 25 and onward we will see direct-action privacy protests take place. Hacking groups will be working to find ways into some companies and will only collect and leak the data when GDPR is live, solely to cause mischief and stimulate fines. The second type of direct action is likely to be coordinated “Data Subject Access” and “Right to be Forgotten” requests in the hope that it will cost the targeted business a lot of time and money. Most likely by disgruntled consumer groups and/or anti-globalisation protestors.

  1. Thousands of business will be raided at midnight by regulators

I’m determined to inject excitement into this, but sadly there won’t be any mass raids either. Could it happen at all?  Yes, the United Kingdom’s regulator swooped* into Cambridge Analytica’s offices in the wake of the Facebook scandal. They even wore fetching FBI-style bomber jackets. So be good.

  1. Courtroom dramas will unfold on TV while millions watch

You guessed it: None of this will happen, either. Don’t get me wrong, there will be reputation-damaging incidents and plenty of European court activity. But it’s going to be incredibility boring and move slower than a tired glacier. The courts will help tighten the definitions of GDPR, so the outcomes will at least drive company policies over time. You can expect that GDPR will evolve over many years, with more than a few significant changes.

  1. We will see the first eye-watering fines in 2018

Nope, not in 2018. There will undoubtedly be some big data breaches, which I’m sure the regulators will get involved in. Unless it’s the result of a heinous disregard for data security and also involves serious misuse of personal information, big ticket fines will most likely stay in their wrappers and you’ll see a more graded approach by regulators.

  1. No drama here: GDPR will change the world

Or maybe GDPR is evidence that the world has changed? Whichever way around you see it, I believe GDPR has and will continue to have a global impact, with many camps now pushing for a federal privacy law in the U.S. Unfortunately, there will still be companies trying to get away with privacy statements full of “weasel words” – and as long as War and Peace – but I’m hopeful that many more businesses will embrace the spirit of the GDPR. At Commvault, we’ve already seen our customers benefit from preparing for GDPR with IT cost savings, smarter use of data and boosts to employee productivity.

Ultimately, though, things will have changed on May 25: Europeans will have regained some power from big, powerful corporations and global tech monopolies; and business will finally have a reason to understand the data it holds and to rethink what it does with that data. So the real story about what happens after GDPR is in play comes down to you and me, in both how we react to it as a business, and how we use our new powers as an individual.

Find out how Commvault can help you better understand and manage data with regard to GDPR in your organisation.

*If you can describe something that took a week as “swooped.”