Over time, unenforced regulations simply get ignored and become useless. It is likely that things won’t change until the regulators make them change, and they will have to go sooner or later through a harder enforcement line.
Quite a lot will now go down to the regulator’s appetite. If they are inconsistent, too heavy-handed or too lenient, focus only on the GAFA, or pick the wrong battles with small firms, they will dilute the act, endanger their credibility and lose momentum.
The bottom line, I think, is that (regardless of GDPR and its jurisdiction) a mutable company can’t afford to have a breakdown of trust with its customers and other stakeholders – as Facebook is discovering. GDPR may simply be a catalyst for bringing data-related trust issues to the surface.
May 2018 sees the enforcement of GDPR. How you ensure that you’re compliant is potentially messy depending on your role and intent. Data that you think is not subject to GDPR may in fact be so.