News and Events

General Data Protection Regulations (GDPR): Information for businesses 3 years on

View profile for Grant Usher
  • Posted
  • Author

25 May 2021 marked the third anniversary of the introduction of the General Data Protection Regulation (‘GDPR’). The GDPR, prior to its introduction, was thought of by businesses and companies across Europe as a major revolution in the law around data protection. Many companies reviewed and amended their processes and procedures in light of the forthcoming regulation being implemented. Coupled with that, there were many scare stories on the internet and in the media about what the GDPR could mean for businesses, particularly in relation to the enhanced penalties that could be issued to companies who were in breach of the regulations. Grant Usher, Company Commercial Solicitor looks at the events of the last three years and how the implementation of the GDPR has transpired.

Data Protection Policies under the spotlight

Unquestionably, the GDPR brought a renewed focus on the importance of data protection particularly in the world we currently live in, which is ever more connected by technology. Prior to the implementation of the GDPR and the Data Protection Act 2018, the relevant legislation in the UK (in terms of domestic law) was the Data Protection Act 1998. It is plainly obvious that the world has completely changed in terms of technology and its everyday use by individuals around the world since 1998 and therefore this update in law was arguably long overdue.

It would appear that the implementation of GDPR led to companies actively reviewing and amending their processes and procedures (i.e. creating or putting in place new data protection and privacy policies). This has certainly been a positive step and means, in theory at least, that companies are actively considering the protection of the data they hold or process and how it affects the rights in law of the individuals those companies deal with. Furthermore companies, in the main, appear to be offering more staff training on data protection and how employees showed manage the personal data they come into contact with as part of their day-to-day jobs.

GDPR and Brexit

Of course, one of the biggest changes for businesses in the UK since the implementation of the GDPR is Brexit. When the UK left the European Union at the end of 2020, the GDPR which was implemented in 2018 technically no longer applied moving forwards in the UK.

That being said the GDPR was incorporated into domestic law following the conclusion of the U.K.'s exit from the European Union and it goes by the name of 'UK GDPR' now, plus the aforementioned Data Protection Act 2018 has come into force too. In practice, this means there have not been many significant changes to the obligations, rights and requirements that companies needed to comply with in the UK.

The biggest change connected with the GDPR and Brexit is in relation to data transfers from EU member states to the UK. Under data protection legislation, there must be sufficient protections in place to transfer data safely from an EU member state to a nation outside of the EU. There are various methods of how this can be done whilst complying with the legislation, but there is only a temporary measure in place between the EU and the UK currently - a temporary mechanism which is set out in the EU-UK Trade and Cooperation Agreement. This is a temporary solution for now and it is likely that an adequacy decision will be forthcoming in the near future which will mean that data flows from the EU to the UK should all be covered by the wording contained in the European Commission's adequacy decision.

GDPR penalties

One previous criticism of the former legislation was that its penalties were not sufficient or proportionate to the breaches committed under the legislation. This all changed on implementation of the GDPR where penalties increased substantially from £500,000 to a maximum of €20 million or 4% of a company's global turnover (whichever is the greater). The regulators have generally been firm but fair with their enforcement action. They made it clear in the run-up to the implementation of the GDPR in 2018 that they did not intend to issue massive fines for the most minor of breaches and that they would be reasonable and proportionate with the companies they encounter. That being said, of course they stressed they would issue major fines if the circumstances dictated this. Current data suggests that over the last three years data protection authorities across Europe have delivered approximately 700 enforcement actions, levying fines for a total monetary value of approximately €280 million.

It is clear from this that the regulators are not afraid to issue monetary fines where it is appropriate and therefore it is of the utmost importance that businesses review their data protection processes and procedures on a regular basis (ideally every six months or so, as a minimum). The reason it is important is because the UK's data protection regulator (the information Commissioner's Office) may seek to audit a business and will be looking for evidence of the business’s data protection policies, workflows and paperwork to demonstrate how their business processes the personal data it holds. Whilst having a data protection policy in on itself does not necessarily mean your business will be compliant, it will go towards demonstrating attempted compliance with the law. In the same respect, it is important that the staff of the business are regularly trained on the data protection - both the law and how it affects them in their job.

The future for GDPR

Whilst the data protection regulations changed just over three years ago that is not to say there will not be further change in the future. In fact, the legislation is just' bedding down' for companies across the UK and Europe. Further change is anticipated in due course in the following ways:

  • In relation to the safeguarding of personal data between countries - it is very likely that new standard contractual clauses will be put in place sooner rather than later, meaning that appropriate wording approved in law can be inserted into contracts between companies processing data between countries - this is currently on the agenda but as at the time of writing no current wording is in place.
  • Furthermore it is likely that businesses across the Atlantic are keeping a close eye on the new data protection regulations and legislators in the US may well seek to modify their legislation, known as the Privacy Shield, in light of the general success of the GDPR.

It is clear from the above that data protection legislation is a major issue in today's world and is an ever-changing area of law. Therefore please do not hesitate to contact us if we can assist your business with reviewing its data protection policies and procedures, assisting with drafting data processing agreements or advising your business in the event of a data breach.  To discuss your policies and procedures with Grant or a member of the team, contact us today on 023 8071 7413 or email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.