When the EU passed the GDPR as directly effective law it deferred the implementation of the GDPR for two years to allow organisations to make the necessary changes to comply with the law.
One year of that two year period has passed. Many companies and organisations have not even begun to make the necessary changes. For some of them, there is not now enough time to make the necessary changes to reach compliance by 25th May 2018.
There is a reasonable basis for making that judgment; those companies that did start early say they have been working on the issue for a year – and are still working.
Each company and organization will have to change internally. For some, it will be possible to do this in the remaining time. For others there is not enough time. However, even for those companies or
organisations it is best to make an effort; it will be taken into account in the application of fines. Those fines will be administrative fines or court fines.
Ireland is opting for court imposed fines for its public bodies. It plans to generally relieve its public bodies from administrative fines under the GDPR. So, in order to give proper effect to the GDPR, Ireland will have to take its miscreant public bodies to court in order to apply the necessary and appropriate fines. That will be more expensive than the administrative fines.
Perhaps the Government really loves lawyers and will go out of its way to benefit them?