GDPR four months on: What's changed?

The new General Data Protection Regulation (GDPR) came into force on 25 May this year. It, together with the Data Protection Act 2018 (DPA 2018), replaced existing laws in the UK relating to data protection and became an obligatory requirement across the whole of the European Union. Even though this had been bubbling away in the news for several months, there were concerns that businesses remained relatively in the dark about what they had to do. In the end, the majority of cases saw a last-minute scramble to implement the new regulation – and it appears to be still on-going.

Now the dust has settled, there are still things left to do. The Information Commissioner’s Office (ICO) has already said it understands the minefields that businesses must wade through in order to comply, and have agreed that for a time they will be more flexible in their approach to businesses who have not yet caught up. However, this won’t last forever, and businesses must remember that breaching the GDPR has severe consequences. Fines of up to 10 million Euros or 2% of annual turnover (Level 1), or up to 20 million Euros or 4% of annual turnover (Level 2) per breach are a real possibility. Other consequences could be even worse for businesses than fines including court claims for data breaches or the ICO demanding compulsory audits or preventing you from processing data (thereby potentially shutting businesses down).

Complaints are on the rise
Not all companies have managed to properly adapt and according to a recent article in a national newspaper, many countries have reported a sharp rise in the number of complaints for apparent breaches of the GDPR. The ICO and the French CNIL have both reported that the number of complaints of this type have increased considerably. France, for example, has seen a 50% increase in complaints. Although the ICO has not yet issued any fines under the GDPR this is because of a backlog in its work. With the Regulator set to imminently recruit 40% more staff this will eventually change and fines under GDPR will start to be imposed.

Social media scrutiny
Many of the complaints have been towards companies such as Google, Facebook, or Twitter. This is because they have seemingly managed to avoid changing their data treatment policies in favour of a standardised message, and forced users to accept it. If users didn’t accept, their accounts would be blocked or removed altogether.

A step too far?
If a user chose not to accept these new policies, or simply didn’t click on the link in the email, the company that sent it would be forced to remove many users from their database – users whose permission, in fact, didn’t need to be asked.

If users’ data had been obtained legitimately, chances are no new consent was needed. Now if a majority of users unsubscribe, a lot of companies have lost out on data – and therefore future revenue – completely unnecessarily.

Of course, it is best to err on the side of caution, but it will be interesting to see how the next few years will fare as the GDPR legislation settles down.

ePrivacy Regulation - Further legislation in the pipeline
The new legislation will probably not end with the GDPR and DPA 2018 with the EU’s new e-Privacy Regulation expected in the not too distant future. Depending on what happens with Brexit this is expected to replace the UK’s existing Privacy and Communications Regulations and readers will be interested to see how this affects their businesses, for example around email marketing.

If you would like any information relating to any legal aspect of running your business, contact Downs Solicitors to see how we can help.

More blog posts from this author

Family Investment Companies

What is a family investment company (FIC)?

FICs are companies limited by shares (an “Ltd” or “Limited”) often setup by parents or grandparents (“Founders”) to benefit both themselves and their family as shareholders. Their popularity has increased in recent years, being seen as a corporate alternative to the more common discretionary trust.

Election round up – the results

We've woken up to the news this morning that, following a public vote in a general election, the Conservative party will be forming a government after winning the biggest majority vote in over 30 years.

BA Faces "Largest" GDPR Breach Fine

British Airways (BA) looks set to face the largest GDPR penalty by the Information Commissioner’s Office (ICO) of £183m for last year’s data breach that put 500,000 customers’ details at risk.

More blog posts from this sector

With the latest Government advice - Do I still need work from home?

The Government’s roadmap identified that until England reached Step 4 of the Roadmap, employees should work from home where they can. As we are aware Step 4 has been delayed from 21st June to 19th July 2021 and therefore, employers should continue with home working wherever possible until the 19th July.  

Changing an employee’s terms and conditions is challenging both from a legal and trust perspective.

British Gas has been in the media over recent weeks due to the “fire and rehire” approach with their employees.

What are restrictive covenants and why do I need them?

I own a start-up which grew very quickly and a few years ago I hired in a couple of senior personnel to help run the business. After 5 years, one of these senior hires is now leaving the business and going to a company which isn’t a direct competitor but operates in a very similar field.

Our Team

Meet all of the team at Downslaw


15A High Street
KT11 3DH

T: 01932 589599
F: 01932 505087

DX: 46102 COBHAM


156 High Street

T: 01306 880110
F: 01306 471230



The Tanners
75 Meadrow

T: 01483 861848
F: 01483 431965