News and Events

GDPR - A Double Edged Sword

  • Posted

It is nearly five months since the General Data Protection Regulation (“GDPR”) came into force but whether any business could achieve full compliance is still uncertain. Is it possible that efforts to comply are being drowned in a sea of Data Subject Access Requests (“DSARs”)?

We believe full compliance is almost impossible. In part because GDPR needs to be interpreted, rather than read literally, and businesses are therefore heavily reliant on guidance from the Information Commissioner’s Office (“ICO”). Significant guidance is still awaited. For example, current guidance indicates that it would be impossible to put an employee’s name and contact details on a business website without breaching the rules on international transfers of data.

Guidance changes; so businesses that consider themselves compliant today may not be tomorrow. Unless, that is, they want to challenge the guidance in the Courts. The fact that they could do that may discourage the ICO from bringing enforcement action unless the breach is self-evident and its effect serious.

Within hours of GDPR coming into force pressure groups had made official complaints about some of the FAANGs (Facebook, Apple, Amazon, Netflix and Google). We suspect they were gratefully received as they give the authorities the opportunity to investigate. That sort of complaint is likely to be their focus; if you are trying to comply, the ICO are unlikely to make an example of you.

There is one phrase we now hear regularly: how do we deal with a Data Subject Access Request? GDPR gives the data subject, you and me, the right to ask businesses for a copy of the data that the business holds on us. This is not new; we have been able to do that since 1998, but now the £10 charge has been removed. The removal of the charge does seem to have increased the number of DSARs.

DSARs are now being used to gather information before filing court proceedings and are being used by disgruntled employees or ex-employees, seemingly often just to cause annoyance. The questions that most commonly arise are what must the business send; and what can the business get away with not sending? As usual with GDPR the answers are a matter of interpretation—there is no published list. So, not only must the business expend time and effort gathering and sifting information, it probably needs to pay for legal advice too. More guidance is apparently on its way regarding this very point but for now it is important to remember that for the information to be considered data under GDPR it has to be held on a searchable database; the piece of paper with some general comments (good or bad), does not count, provided you do not file it on the employees record. Perhaps this will be the new excuse for an untidy office!

We can however report one major benefit of GDPR, the amount of spam we receive has reduced dramatically as most of the organisations that had us on their marketing databases asked our consent to continuing to send us direct marketing—and most of us said “No thank you!”

If you have questions on GDPR, you can contact Brian Bannister on 023 8071 7466 or email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.