During the International Association of Privacy Professional's Knowledge Net event in London on 17th October, Elizabeth Denham, the Information Commissioner was asked a question that is as appropriate to schools as it is to businesses.

Question: "What advice would you give businesses if, having tried their very best by the 25th May 2018, they are not completely compliant by this point?"

Answer: “So the law takes effect on 25th May 2018 and we will receive complaints, and there will be breaches and we will need to look at organisations. And what I’ve said to organisations is what I will be looking for is evidence of your commitment and your programme to build the compliance.

It’s not necessarily going to be perfect on the first day, but then again we have had the text for two years so it’s not a surprise about what obligations are contained in the law. The other thing is, if there is a serious contravention of the law, we’ll just look at whether or not you have done what you needed to do to prevent that breach or that contravention from happening.

So I can’t say I’m giving a grace period at all. There isn’t a grace period. But again, we are a proportionate, reasonable, risk-based regulator and there is no reason why we are suddenly going to change into a different kind of regulator because we have new tools in our regulatory toolbox.

And remember, it’s not just about fines. There are other tools that I think are really important to getting this right and developing good practice around data and what to do.”

Elizabeth Denham, Information Commissioner

So what does that mean? It means take reasonable measures to prepare and assess your risks. And where there are risks to the rights of data subjects in the way you handle data, do something about it. But excuses such as ignorance, or not doing anything because of size and budgets won't help you if something goes wrong.