Not being enforced does not mean it is not currently law. GDPR is already on the statute for all EU member states and requires no further process since it is not a directive and therefore automatically adopted by all EU member states without requiring any enabling legislation - therefore it is law right now. We are in an "implementation phase" and 25th of May is the point in time when that phase ends and when the consequences of non-compliance becomes a reality - ie, fines imposed by the EU. A bit like speeding, it's a limit and not a target. If you are non-compliant now you're no less guilty of non-compliance before the 25th May as you are after that date. It's just that after that date you can say "hello" to the 20,000,000 euro fines. You are still expected to be compliant, and if you're not then there is nothing to stop a private action from seeking it's own sanctions against a non-compliant EU entity, or even a non-EU entity though the EU based party which shared data with them. The only saving grace for non-compliant companies before the 25th of May is that most "data subjects" are just regular people don't have the appetite for that type of legal confrontation ... you'll note I said "most". Any organisation that is non-compliant right now, a little over a month away from the deadline, is sleep-walking into a world of pain. My worry is that their non-compliance now leaves them exposed to potentially crippling and potentially business destroying fines which ultimately leave us, the consumer, high and dry. Expect the brown smelly stuff to hit the rapidly rotating thing at midnight on 25th May. Regardless of all of that - I'm still absolutely furious at the manner in which Ducati have already exposed our data. Unencrypted links in emails contain personally identifiable data to reset a password without any form of prior authentication is unbelievable, unacceptable, and potentially hugely damaging. GDPR or not, for that alone they have a case to answer today!