It was the date pencilled into calendars around the world, touted as the greatest change to data protection of our time.

But with the 25 May deadline for the EU’s General Data Protection Regulation (GDPR) now having come and gone, we’re still yet to see whether the impact of these changes will be as far-reaching as was suggested.

Does this sound at all familiar?

“I view this as this decade’s Y2K,” said Director of Security and Compliance at Okta, Chris Niggel, on GDPR.

“We have a lot of build-up and there’s been a fair amount of concern, particularly around the fines that could potentially be levied.

“But just like Y2K, which came and went and most of us didn’t really notice it, I think [with GDPR] we’re going to have the same sort of thing.

“I don’t believe it’s going to be a significant change or impact to business – it will become the new normal.”

Where businesses might slip up

Despite the Y2K comparison, Niggel still expects to see some hiccups along the way.

Speaking to Information Age from the Oktane18 conference in Las Vegas, he said that although he didn’t anticipate seeing the EU “make an example of somebody out of the gate” with the large fines (€20 million or 4% of annual turnover), it was only a matter of time before a business comes undone.

While much was made about GDPR’s mandatory data breach notification in the leadup to 25 May, Niggel said he expects to see the bulk of fines to come from elsewhere.

“Where those fines, I believe, are largely going to come from is the subject access request,” he said.

Under Article 15 of GDPR, “the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”

This means that an individual can now request to access their personal data from any business at any time, including an employer.

A subject access request can be either written or verbal and in response the business must provide detail on what data is held about the individual within 30 days.

In most cases, businesses will not be able to charge a fee to comply with a subject access request.

“If organisations don’t have those processes in place to respond to those [requests] within the 30 days, and be able to respond to those at a reasonable cost to the company, then we’ll begin to see complaints stack up against them and that’s what’s going to drive the fines.”