Recall the Y2K panic that swept through the technology sector as the year 2000 neared, when it became clear that two-digit year fields would reset to 1900? A frantic rush ensued to patch every system before the deadline. Similarly, May 25, 2018 marks another terrifying milestone for the tech world. Every system we have constructed for managing personal data must be redesigned to comply with the forthcoming General Data Protection Regulation (GDPR) standards. It is a massive undertaking with precious little time remaining.
Although the night before the GDPR deadline won't spark celebrations akin to New Year's Eve 1999—when many counted down to what they jokingly called 'the apocalypse'—stakeholders worldwide will still navigate a spectrum of feelings as they progress through the seven phases of GDPR mourning at different paces.
Just as with Y2K, May 25 might pass without incident if organizations quietly achieve compliance. However, the majority of firms remain stuck in the initial grief stage—denial—convinced that GDPR doesn't affect them (if they are even aware of the regulation). Denial seldom benefits any business. And for GDPR violations, penalties can reach 20 million euros (about $24 million) or 4% of worldwide yearly revenue, whichever is higher.
Fortunately, each grief stage has clear indicators and guidance to help people and their companies progress through them rapidly:
Stage 1: Shock and Disavowal
Even if marketers shut their eyes, GDPR regulators will still spot them. Businesses stuck in shock and denial are playing games with the regulation: they overlook it, brush it aside, or even pretend ignorance of the law. This stage is the riskiest because it signals zero progress toward compliance. Therefore, company leaders must educate themselves on GDPR, grasp their obligations, and establish procedures to address consumer data requests, the right to be forgotten, and other mandates.
Stage 2: Suffering and Remorse
Companies in the pain-and-guilt phase view GDPR as an unwelcome burden on business operations. They acknowledge the regulation exists but secretly wish it will vanish on its own. A word of caution: it will not. GDPR represents a long-term initiative to overhaul and harmonize privacy laws, granting consumers authority over data that organizations have amassed without oversight, consent, or security for decades. Because the May deadline concludes a two-year post-adoption grace period (plus several years of prior preparation), enforcement bodies will be ready to act immediately. No amount of internal anguish or guilt can soften external fines.
Stage 3: Frustration and Negotiation
During this stage, internal discussions begin around the bare minimum required. 'What if we only do this? Would that satisfy compliance?' Those negotiating with GDPR grief seek the least they can do—for instance, fixing server location while ignoring everything else. Although GDPR employs a tiered fine structure (e.g., a 2% penalty for disorganized records), neglecting any compliance area will keep the company in ongoing jeopardy.
Stage 4: Despair, Contemplation, and Isolation
Stakeholders enter the fourth stage when they recognize action is necessary for GDPR compliance but lack a full understanding of requirements and where to seek guidance. Often, one or two employees feel isolated as they try to raise GDPR awareness among colleagues but fail to convey the regulation's significance. These GDPR champions may operate in non-EU countries where awareness is low and progress minimal. To assist, they should remind their teams that GDPR's scope is explicit: 'it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.' Consequently, any company in the U.S., UK, China, Japan, or elsewhere that collects and uses data from EU citizens must comply with GDPR for those consumers.
Stage 5: Turning Point
At this stage, organizations see some progress—they have found answers to their questions but still face a hazy route to full compliance. They frequently visit eugdpr.org, devour industry blogs, and consult business partners, yet they still need to determine concrete steps. Many EU companies likely reside in this fifth stage because awareness is stronger there, but implementation remains mediocre. For example, instead of aiming for complete compliance by May 25, 2018, 62% of surveyed firms are choosing a risk-based defensible stance.
Stage 6: Rebuilding and Execution
In the penultimate stage of GDPR mourning, companies have established clear processes and are taking an offensive rather than defensive approach to compliance. If necessary, they have designated a Data Protection Officer (DPO) and are prepared for upcoming deadlines. Still, even here, organizations might suffer from unclear ownership and program inconsistencies, but they are far more advanced than the majority.
Stage 7: Acceptance and Optimism
Deloitte reports that 61% of businesses recognize additional advantages from remediation efforts beyond mere compliance, reinforcing the idea that GDPR presents a perfect chance to treat privacy as a business catalyst. In this final grief stage, companies understand that increased transparency with consumers results in higher opt-in rates from those genuinely interested in a brand's products and communications. Here, firms do not fear empowered consumers; rather, they embrace the opportunity to engage them via explicit—rather than implied—consent.
The GDPR compliance deadline is rapidly approaching, and it is highly probable that during the initial enforcement period, large corporations employing aggressive and intrusive data marketing will be singled out as examples. However, because individuals now have a straightforward complaint mechanism, every organization must take GDPR warnings seriously and accelerate through these grief stages. Employees, employers, and their business partners all share the responsibility to embrace GDPR—just as they did with Y2K in 1999.
Chris Purcell serves as a Product Marketer at Episerver. His goal is to assist companies in moving beyond superficial digital transformation efforts and achieving concrete, measurable returns.
