GDPR – A look at the last year - PKF Francis Clark
skip to Main Content
Merry Christmas! Our offices will be closed from 1pm on Christmas Eve, reopening on Tuesday 4 January.

GDPR – A look at the last year

The 25 May 2019 will mark the first full year since GDPR became enforced. In this article, we’re going to take a look at what the effects have been and how businesses have coped so far. With just 125 enforcement actions by the Information Commissioner’s Office (ICO) and 74 monetary penalties (under the Data Protection Act) in the UK to date, this regulation has not had quite as many fangs as everyone expected it to, or are businesses simply not experiencing the full force of it yet?

The level of tension in the few months leading up to, and shortly after, the enforcement of GDPR was palpable. The potential fines that can now be levied are significant enough to give even global giants pause for thought. The general response was a flood of emails asking people to opt-in for marketing, mostly these were ignored. The effect this had on marketing lists was devastating, with lists in the thousands being culled to just a few hundred for many firms. This need not have happened as, for many of the people on these lists, continued marketing could have been justified under “Legitimate Interest”, one of the six lawful grounds for data processing under GDPR.

Knee-jerk reactions such as this could be partially responsible for why the ICO has not taken near as many enforcement actions as was perhaps expected by this point. With all personal data breaches needing to be reported to the ICO, some businesses have gone to extremes in order to make sure that they are covered, leading to an extensive amount of over-reporting. It can be assumed that the ICO did not originally expect this inundation of over-reporting and, as such, are not currently equipped to deal with the sheer volume of reports, whatever the reason, it has meant that they have focused on the more severe breaches, with some smaller ones so far escaping their attentions.

Another factor could be that the ICO and other Data Protection Authorities (DPAs) have been lenient in this opening year in order to allow everyone to get used to the new regulation. The changes involved are so massive for many organisations and it’s reasonable to expect an adjustment period where mistakes will be made. Perhaps this is why lesser infractions aren’t come down upon so heavily? As we close out the year it’s predicted in many circles that the DPAs will begin to be more stringent with their sanctions.

One thing that can be said for sure about this year is that being GDPR compliant is a lot of work. Finding the resources to tackle this issue has proven demanding for every organisation in terms of time, personnel, and financing the whole operation. Experienced privacy professionals are in high-demand and hard to come by, this means they can be expected to be expensive as well. Many organisations have simply appointed someone within the organisation as a data protection officer (DPO) on top of their other duties but does this provide the level of expertise needed to implement the correct policies and procedures and can they manage this alongside their other duties? Whilst, in some cases, the answer may well be “yes”, the majority of the time it will be “probably not”. Smaller organisations can handle the lack of a dedicated data protection specialist as they likely don’t process enough data to create a huge risk. As organisations grow larger, however, they should consider assigning the role to someone that can offer it the attention it merits.

As we look toward the future one thing is clear; GDPR is not going anywhere, even in a post-Brexit world. Now that we’ve had a chance to get to grips with the realities and challenges that such regulation entails, we can expect to be held to it more strictly. Having clear policies and procedures in our organisations will aid us in handling the situation, as will knowing what to report and when. The consequences for non-compliance have the potential to impact organisations severely both in terms of monetary penalties and reputational damage and so action should both be taken and regularly reviewed.

How and when to report a breach –

A checklist for the lawful grounds for data processing –

By Peter Lannon

Back To Top