There was definitely a “Y2K atmosphere” around GDPR when the May 25 go-live deadline was approaching. GCs were scrambling, corporate counsel and their law firms were preparing for the strict enforcement threats (and potential infringement costs). Some were more ready than others. Some companies weren’t ready at all, and others didn’t seem to care much.

In an article in Corporate Counsel earlier this year, it cited survey data that around 47%  of respondents reported that to comply with GDPR they must change data security standards; 45% said they must change their breach notification procedures; and 43% said they need to modify incident response plans.