Happy GDPR –Versary!


The GDPR has now been in force for over a year– where are we after the rush, uncertainty (and headaches!) of May 2018?

GDPR in Numbers – One year on…..

Across Europe, since the implementation of the GDPR on 25th May 2018…

500,000+          organisations estimated to have registered a Data Protection Officer (DPO) – there are 32,000 registered in the UK alone

280,000+          cases have been received by DPOs


144,000+          are complaints from individuals

GDPR enforcement across Europe has also resulted in €56,000,000+  being recovered in fines

(Source – IAPP.org)

So what does this mean for all of us? And what do we think that the next 12 months of GDPR will bring?

2018 was only the beginning

2018 doesn’t appear to have answered all of our questions on the GDPR – we’re still anticipating guidance from the European Data Protection Board on children’s data, what the concepts of data controller and data processor mean, and how companies and organisations can more efficiently build data protection into their day to day operations. Every organisation will need to keep its fingers on the pulse to make sure that they keep on top of the latest developments.

After some serious scares around the increase in fines under the GDPR (up to €20 million, or 4% of an organisation’s annual global turnover), we have seen one major fine as a result of GDPR – of the €56,000,000 recovered in fines, €50,000,000 of this alone was a single fine issued by the French data protection authority, CNIL, to Google.

CNIL found that Google failed to provide users with clear and understandable information on how it processes data, so that customers were effectively prevented from opting out of marketing. We can expect to see more fines as data protection authorities such as the Information Commissioner’s Office (ICO) run through their investigations – they’re already cracking down on organisations that haven’t paid their data protection fee.

GDPR hasn’t only had an effect in Europe – globally, many nations have also started looking at their own rules around data protection, and they’ve been looking to the GDPR for inspiration. The California Consumer Privacy Act mirrors many of the principles of the GDPR, and Brazil is also reviewing its data protection rules.

We are all more aware of our data rights

Following on from the implementation of the GDPR, it seems that we’re all more aware of our right to protect our personal data – according to the European Commission, 67% of Europeans have heard of the GDPR, and 50% know that there is an organisation who’s responsible for protecting their personal data (like the ICO in the UK).

DPOs across Europe have seen 144,000+ complaints following the implementation for the GDPR – the ICO alone have seen an 133% increase in the complaints it received between May –October 2018. Common complaints include difficulties around accessing personal data, unwanted marketing and unfair data processing by organisations.

Will this trend continue as we see the new GDPR regime develop?  As well as creating increased awareness of our data rights, the GDPR does allow individuals to take court action against organisations if their data rights are breached – we may see an increase in court cases as public awareness grows.

Compliance is a marathon, not a sprint

One of the key differences between the old Data Protection Act and the current regime is that we all have to demonstrate ongoing compliance with the principals of the GDPR – it isn’t enough to have policies and procedures in place, you need to keep monitoring and reviewing them to make sure they work.

We all sprinted to get our consents and policies in place before 25th May 2018, but we all need to make sure that we’re running the marathon and protecting customer data for the long term – businesses work better when their customers trust them with their data.

If you’re uncertain on, or in a muddle over your GDPR obligations, or feel you just need some fine tuning our data protection specialists can help you.  We deal with all aspects of Data Protection – whether you have a quick query or need a full compliance audit. Call our commercial team on 0161 926 9969 or email commercial@mlplaw.co.uk