The clock was ticking. With the General Data Protection Regulation (GDPR) set to take effect on 25 May 2018, 2017 represented the final full calendar year for businesses to achieve GDPR compliance preparation. Failure to act meant risking penalties as high as €20 million or 4% of global annual turnover—whichever proved greater. For companies that neglected data security, the message was clear: enjoy your cash while you still have it.
Why 2017 Was the Make-or-Break Year for GDPR Compliance Preparation
According to experts quoted by Infosecurity Magazine, with only 526 days remaining until enforcement, 2017 demanded urgent operational changes. Quentyn Taylor, director of information security at Canon Europe, emphasized that the biggest shift would be in the relationship between suppliers and businesses. As data processors now share similar liability with data controllers under GDPR, entire business models and pricing structures needed adaptation.
“Boards will start to take data protection seriously—something that too many have failed to do thus far,” Taylor warned. This sentiment echoed across the industry, as organizations scrambled to understand the scale of the transformation required.
The Governance Gap: Why Many Organizations Were Unprepared
Steve Holt, partner in Financial Services Advisory at EY, observed that many organizations had not established proper governance or clearly defined programs. Gap assessments were underway, but few had a handle on the full scope of change needed. “In many cases, the program is being led by legal teams,” Holt noted. “Our view is that it needs board sponsorship and a cross-functional approach.”
Holt argued that the COO was often better positioned to drive this transformation, given the importance of data, systems, and business processes. He also flagged a dangerous trend: some organizations were avoiding decisions, waiting for further regulatory clarification that was unlikely to arrive soon. “It’s important that organizations make a few assumptions and decisions, so that the program can move forward,” he said.
The Risk of Delayed Action
Holt recommended that boards openly discuss whether full compliance by May 2018 was realistic. His view: many global organizations would not be fully compliant, so prioritizing focus was essential. This meant that GDPR compliance preparation in 2017 was not just about ticking boxes but about strategic risk management.
Low Readiness Scores and the Existing Law Problem
Jonathan Armstrong, partner at Cordery, revealed that their GDPR readiness test showed alarmingly low scores. “People not having done things the existing law requires,” he said. “My gut feel is many people are leaving themselves exposed—there are only 526 days left and for most businesses there’s still a lot to do.”
Armstrong stressed that gap analysis alone was insufficient, as many organizations were not even compliant with current data protection laws. He predicted that 2017 would either be a year of hard work or a prelude to failure under the new regime.
Building Blocks for Compliance: What Experts Recommended
To move forward, Armstrong advised that businesses should have basic building blocks in place by early 2017: a process for handling a data breach and a fit-for-purpose privacy policy. Holt added that a clear governance structure was essential, covering all aspects of the business—including HR, compliance, legal, IT, marketing, operations, and procurement. He also recommended performing a thorough assessment and gap analysis to establish a future vision and strategy.
For more insights on building a robust data protection framework, check out our guide on creating a data breach response plan. Additionally, understanding board responsibilities under GDPR can help leadership take ownership of the process.
The Bottom Line: Time Was Not on Their Side
GDPR may have been 17 months away at the start of 2017, but time has a way of slipping away. The predictions from industry experts were clear: 2017 would be the year of GDPR compliance preparation—or the year organizations set themselves up for failure. Those who heeded the warnings and acted decisively stood the best chance of avoiding the steep penalties that awaited the unprepared.
As the deadline approached, the message remained the same: now or never. For businesses still on the fence, the cost of inaction was simply too high to ignore.
