If 60’s and 70’s programmers had anticipated that their code would still be in use thirty-odd years later, we wouldn’t have needed a massive effort to fix the installed codebase before the century rolled over. But they didn’t, and we did. A lot of money was spent. The world didn’t end on the 1st of January 2000. This is not because it was a rip-off, but because a lot of people worked very hard to avert disaster.
The reason you need to spend money on sorting out your GDPR compliance is not because otherwise the world will end on the 25th of May 2018. It won’t – although if you’re not compliant, and you get caught, you might wish it had.
It’s because you’re not compliant with existing data protection legislation. The Data Protection Act was introduced on the 16th of July 1998. On GDPR-day, it will be nearly 20 years old. So yes, it’s a bit long in the tooth. But if you’re fully compliant with UK DPA 1998 then complying with the GDPR is really not that hard. I’m not saying there aren’t changes, but they’re not earth-shattering.
But if you’ve not bothered with any data protection policies, or you’ve played fast and loose with sensitive data (now called Article 9 Special Category data, but it’s the same stuff), or you’ve ignored the ICO’s very sensible guidelines on data processing, or you don’t have any data security, then yes – you have a problem, Houston.
But you have the problem now, not in May next year. The only big differences are that from May you’ll have to pay more if you’re caught, and you’ll have to ‘fess up if you mess up. So stop complaining about having to spend time, or money, on implementing proper data protection and think about all the money you’ve saved by not bothering for the past 19 years.
Ps – don’t believe me? Here’s UKDPA 1998 and here’s the GDPR. Have a read. Compare UKDPA 2.1 with GDPR Art 9; UKDPA 7-9 with GDPR 12-15; UKDPA 10-12 with GDPR 18, 21, 22; UKDPA 14 with GDPR 16-17; UKDPA Schedule 1 with GDPR 5; UKDPA Schedule 2 with GDPR 6; UKDPA Schedule 3 with GDPR 9. See what I mean?