If you get a request today, you've got a month to comply, so in a way you're right. However, it really depends on how big your company is and how little you have prepared. Your absolute minimum is to have a statement that says that you are going to use the data you gather for contract purposes and to list the 3rd parties that you need to send that data to for contract purposes.
But then, if you are using data for other purposes, it's a bit complicated because you'll have to refrain from doing so until you are compliant. It doesn't necessarily have to be shady stuff. Even if you aren't sure if what you are doing is contract basis or not, it can be a pain. It's not necessarily massively difficult, but if you woke up yesterday and thought "OMG! We haven't done GDPR! What are we going to do?", then I can see this.
I've written earlier about how the company I'm working for now has changed what it is doing with data, even though I don't think they were doing anything shady previously. But it's more like, "Do we really want to list a lot of things and piss off the customer?" So now there are heated discussions of what 3 (or whatever other small number) of things we might collect data for because we believe that's the kind of limit that the customer will tolerate.
All of these discussions take time -- especially in a large organisation. And you can see in discussions on HN, there is going to be a large backlash of "Why do we have to do this anyway? Can't we just ignore it?" which wastes a lot more time.
Sounds like they want to be compliant, but are just not ready yet. A miss on their part, but hopefully they will get things in order quickly.
But then, if you are using data for other purposes, it's a bit complicated because you'll have to refrain from doing so until you are compliant. It doesn't necessarily have to be shady stuff. Even if you aren't sure if what you are doing is contract basis or not, it can be a pain. It's not necessarily massively difficult, but if you woke up yesterday and thought "OMG! We haven't done GDPR! What are we going to do?", then I can see this.
I've written earlier about how the company I'm working for now has changed what it is doing with data, even though I don't think they were doing anything shady previously. But it's more like, "Do we really want to list a lot of things and piss off the customer?" So now there are heated discussions of what 3 (or whatever other small number) of things we might collect data for because we believe that's the kind of limit that the customer will tolerate.
All of these discussions take time -- especially in a large organisation. And you can see in discussions on HN, there is going to be a large backlash of "Why do we have to do this anyway? Can't we just ignore it?" which wastes a lot more time.
Sounds like they want to be compliant, but are just not ready yet. A miss on their part, but hopefully they will get things in order quickly.