Is GDPR Complacency the Second Phase of GDPR Implementation?

August 16, 2018 | GDPR

Written by

I was editing a document the other day when I noticed that my spell checker did not know the word “compliancy”: The suggested replacement was “complacency”. Given that the context was “GDPR compliancy”, it made me wonder about whether the spell checker had accidentally made an ironic observation of small to medium businesses’ attitudes in the UK at the moment.

It would be fair to say that a lot of businesses now think that the problem has gone, that it was like the old Y2K thing where there was a lot of fuss and then nothing happened. May 25th arrived and storm troopers did not kick down the door and arrest everyone for suspicion of unspecified GDPR crimes. The stars did not fall from the sky and the world continued to spin on much the same axis as it had done previously.  However, should this period of relative quiet be better thought of as the calm before the storm?

A quick look at the website of the Information Commissioner’s Office shows prosecutions for crimes committed under the Data Protection Act 1998 rather than the GDPR enabled, superseding, Data Protection Act 2018. The reason for this? The ICO has just taken on a LOT more staff and, for the next few months, will be ploughing through the backlog of prosecutions so that the new laws can then be wholly focussed upon. Don’t be fooled into thinking that these few months are, in effect, a lawless time where the rules don’t apply, because that is not the case. Once the backlog is cleared and the ICO investigators turn their focus onto actively enforcing GDPR, they will be looking back over this period, investigating complaints and conducting on-the-spot audits in the same way that HMRC’s VAT inspectorate have the power to drop in unannounced: Similar rulebook, different game.

Going back to the start point of this article: the first phase of GDPR, between it being announced and being brought into law in May, saw an increasing number of businesses trying to do the right thing and adjust their practices, policies and procedures. This second phase, between GDPR becoming law and the ICO catching up with its workload, could, as my spell check suggested, be considered a time of “GDPR complacency”. Time will show that this attitude is a mistake.

I estimate that the third phase will start with the new year and in January 2019, we will begin to see what the ICO can do when its decks are cleared, its people trained, and its pencils sharpened…

In short, complacency would be mistake going forward: get compliant!

With GDPR solutions for every size of business, if you would like to be put in touch with a participating Brigantia partner for help and advice, then please call Brigantia on 020 3358 0090 or email

Recommended reading