Finally, May 25 is here. The GDPR is in force. It’s a day that many of us have been preparing for with more effort and attention than we paid to the birth of our children (okay, maybe not that much preparation, but close, right?). 

Now that the day is here, though, there’s a gaping question: What happens next?

Everyone has an idea for how enforcement will look, how companies will respond, how consumers will engage. But I admit I didn’t see the Los Angeles Times cutting off access to anyone in the EU. Who’s giving them legal advice? The Arizona Republic? Guys. The GDPR likely doesn’t even apply to you. What are you doing?

Eventually, the panic will wear off. People will realize that the GDPR is not some effort by the EU to be the global privacy police. The DPA of Slovakia isn’t going to hunt down every web site that some resident happens to stumble across and demand to speak to the DPO. It’s just not going to happen.

Regardless, it’s worthwhile to look into the future and make some guesses as to what might actually happen, so we asked volunteers on our Education and Publications advisory boards to weigh in with predictions. Here’s a selection of smart, fun, silly, and forward-thinking predictions for the coming year in GDPR:

ShanShan Pa, CIPP/E, CIPP/US, CIPM, Head of Compliance and Privacy, U.S. and Europe
Alibaba Cloud: “
1. When the DPAs are hiring rapidly, that’s when you’ll know they have got a target in mind.

2. It might take till fall of this year before we will hear of an enforcement case. 

3. We’ll see plenty more GDPR souvenirs on the market.”

Brian F. Clayton, CIPP/US, Associate General Counsel & Chief Privacy Officer, Conduent: “
1. Regulators will be inundated and overwhelmed with volume the first 12 months.

2. Data controllers will be inundated and overwhelmed with data subject access requests for the first 18 months.”

Christin McMeley, CIPP/US, Partner, Davis Wright Tremaine LLP: “
1. I predict GDPR enforcement will be similar to FTC enforcement in the U.S. in the sense that DPAs will go after companies with clear violations so they can (1) levy maximum fines that serve as a deterrent and (2) build a body of case law that will serve as its own kind of guidance. I don’t think the first enforcement actions will involve big tech, because they will fight back, prolonging resolution – plus a mid-size company reinforces the FTC approach that it could be anyone at any time. 

2. Companies will budget for GDPR psychics who can make better predictions!”

Amanda K. O’Keefe, CIPP/US, Assistant General Counsel / SVP, Citigroup:
“I predict vociferous backlash against GDPR and other attempts at international regulation via domestic legislation (split evenly between too far/not nearly far enough camps), while background conversations about profit-seeking vs. public good, and competitive advantages via better privacy controls, leads to major infrastructure and protocol changes to the internet. That might have also been an episode of ‘Silicon Valley.’”

Kirk Nahra, CIPP/US, Partner, Wiley Rein: "We will see continued levels of craziness for several years, as companies and regulators deal with the full array of issues that are still confusing for everyone. At the same time, I expect (and hope) that the worst fears of the regulated community will not come into force as regulators will be reasonable and thoughtful and will focus their attention on companies doing bad things and companies that are not trying to comply." 

Susan Bandi, CIPP/US, CIPM, CIPT, Executive Global Data Security and Privacy Officer, Monsanto:
“GDPR gives the EU the weight it needs to enforce privacy rights for EU data subjects. My prediction is that enforcement will be exercised very cautiously, even with some possible missteps, as this will be a learning curve for everyone. I don’t believe it’s another Y2K! Action will be taken with continued direction given for clarity.”

Alexandra Ross, CIPP/E, CIPP/US, CIPM, CIPT, Director, Senior Global Privacy and Data Security Counsel, Autodesk:
“On a positive note, I predict that businesses will continue to invest in GDPR compliance and will incorporate GDPR’s core principles and requirements into their global privacy and data protection programs.”

Emily Johnson, CIPP/E, Senior Privacy Program Manager and Team Lead, Microsoft:
“These problems have been here so long that the only way I’ve been able to function at all is by learning to ignore them. Else I would be in a constant state of panic, unable to think or act constructively.”

― Mark Bowden, “Worm: The First Digital World War” 

“I think many will realize the life and work goes on after Friday. Hopefully the ‘constant state of panic’ will subside, and companies can go back to thinking and acting constructively on data protection.”

Dennis Dayman, CIPP/US, CIPP/E, CIPT, Chief Privacy and Security Officer, Return Path:
“My prediction is that brands and marketers will lose unnecessary amounts of data for not understanding the past and continued consent requirements and be really hit hard in their list management. However, like with CAN-Spam in 2003, this will also help marketers in the long run practice the idea of quality over quantity when it comes to list management and help them send relevant and more targeted messaging to those who really want it.”

Photo credit: april-mo Cotton wool clouds in the ball via photopin (license)