News and Events

GDPR turns one; the impact, the lessons and the future

  • Posted

The General Data Protection Regulation (GDPR) was implemented a year ago, requiring businesses to adapt to the most revolutionary change in data protection in years. Even though 12 months have now passed, businesses are still working towards compliance with the regulations. Here, we explain the practical impact GDPR has had on businesses, the fines that have been imposed thus far and anticipations for the future.

How has GDPR impacted businesses?

This first year has been described as a transition year by the ICO and by other data privacy regulators across the EU. Indeed, many businesses are still in the process of fine-tuning their GDPR compliance, although it is likely that this “grace period” will very soon be coming to an end.

One practical effect of GDPR is that it has created a lot of bureaucracy. Businesses have had to create new roles within firms and have had to spend both time and money on not only ensuring GDPR compliance, but also in responding to Data Subject Access Requests.  It would appear that the frequency of these has increased since GDPR abolished the charge, with businesses finding it difficult to comply within the one month deadline given to send the requested data.

We have also seen an increase in data subjects hoping (usually in vain) for compensation following relatively minor data breaches.

What have we learnt since the introduction of GDPR?

GDPR created new obligations for businesses, and new rights for individuals. Data protection is now higher up in the list of priorities of businesses, and individuals are more aware of their rights attached to their data. GDPR has undoubtedly forced businesses’ hands in addressing the flaws in their data security systems. All regulators across the EU have seen the number of data breach notifications rise.

Reinforcing data subjects’ rights was arguably clearly needed; the number of complaints to the ICO from data subjects increased by 160% during the summer of 2018.

New powers were also created for supervisory authorities across the EU. Whilst GDPR caused fear among businesses of potentially huge fines, very few significant fines have in fact been imposed. It might be that the year has been a transitional period for both businesses and supervisory authorities, and that investigations commenced after May 2018 have not yet concluded, however it is also true that the ICO in the days leading up to GDPR stated “It’s about putting the consumer and citizen first. Thinking that GDPR is about crippling financial punishment misses the point.”

The total number of imposed fines by the supervisory authorities of the EEA as of March 2019 reached nearly 56 million euros – an impressive number until you realise that this is mainly made of one fine:

1). The CNIL, the French data regulator, fined Google 50 million euros (£44m) for "lack of transparency, inadequate information and lack of valid consent regarding advert personalisation".

2). In mid-April 2019, the ICO fined Bounty (UK) Ltd £400,000 for sharing 14m individuals’ data without informing these individuals that they might do so. This however related to “offences” committed under the old Data Protection Act where the maximum fine was £500,000.

3). British Airways suffered a hack of its customers’ information. A fine will most likely be imposed, and they are likely to have to pay financial compensation to the affected individuals.

One can assume that enforcement will increase with time as less of the ICO’s resources are used in assisting businesses with early compliance issues.

The future of GDPR?

There are several areas of the legislation that we are yet to see the impact of, and one significant factor that could alter the effect of the legislation completely:

1). Article 27 Representative – some clarification with regard to article 27, which states that a controller or processor not established in the EU shall designate in writing a representative in the EU, is required. The definition of ‘establishment’ used in this part of the legislation is vague and the practical application of this remains to be detailed.

2). Other countries and trade - other countries have now implemented stricter data protection laws and some are considering it. The Indian parliament, for instance, is currently debating data protection legislation reflecting aspects of GDPR. South Korea is also updating its regulations. Brazil and California have new laws which came into effect in 2018 which have also been influenced by GDPR. We can therefore expect to see other countries implementing similar laws.

3). Brexit - GDPR is European legislation. Its European roots can be seen throughout the legislation, which provides numerous aims to be achieved by its members with little help on how to achieve them. The basis of consent, as well as the wider, more general (and rather vague) drafting, is typical of civil law jurisdictions.

However, the ICO has stated that UK businesses will still need to maintain current practices after Brexit, if they operate mainly in the UK. If your business operates in the UK and the EU/EEA, you will need to comply with European law and UK law after Brexit. Post Brexit UK data privacy laws are likely to be almost indistinguishable from GDPR in reality.

Businesses which are GDPR compliant will have fewer data breaches and be more efficient at identifying and correcting the breaches. They will also find it easier to answer compliance questions from their larger customers. For advice on how you can ensure GDPR compliance, you can contact  on 023 8071 7717 or email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.