GDPR four months on: What's changed?

The new General Data Protection Regulation (GDPR) came into force on 25 May this year. It, together with the Data Protection Act 2018 (DPA 2018), replaced existing laws in the UK relating to data protection and became an obligatory requirement across the whole of the European Union. Even though this had been bubbling away in the news for several months, there were concerns that businesses remained relatively in the dark about what they had to do. In the end, the majority of cases saw a last-minute scramble to implement the new regulation – and it appears to be still on-going.

Now the dust has settled, there are still things left to do. The Information Commissioner’s Office (ICO) has already said it understands the minefields that businesses must wade through in order to comply, and have agreed that for a time they will be more flexible in their approach to businesses who have not yet caught up. However, this won’t last forever, and businesses must remember that breaching the GDPR has severe consequences. Fines of up to 10 million Euros or 2% of annual turnover (Level 1), or up to 20 million Euros or 4% of annual turnover (Level 2) per breach are a real possibility. Other consequences could be even worse for businesses than fines including court claims for data breaches or the ICO demanding compulsory audits or preventing you from processing data (thereby potentially shutting businesses down).

Complaints are on the rise
Not all companies have managed to properly adapt and according to a recent article in a national newspaper, many countries have reported a sharp rise in the number of complaints for apparent breaches of the GDPR. The ICO and the French CNIL have both reported that the number of complaints of this type have increased considerably. France, for example, has seen a 50% increase in complaints. Although the ICO has not yet issued any fines under the GDPR this is because of a backlog in its work. With the Regulator set to imminently recruit 40% more staff this will eventually change and fines under GDPR will start to be imposed.

Social media scrutiny
Many of the complaints have been towards companies such as Google, Facebook, or Twitter. This is because they have seemingly managed to avoid changing their data treatment policies in favour of a standardised message, and forced users to accept it. If users didn’t accept, their accounts would be blocked or removed altogether.

A step too far?
If a user chose not to accept these new policies, or simply didn’t click on the link in the email, the company that sent it would be forced to remove many users from their database – users whose permission, in fact, didn’t need to be asked.

If users’ data had been obtained legitimately, chances are no new consent was needed. Now if a majority of users unsubscribe, a lot of companies have lost out on data – and therefore future revenue – completely unnecessarily.

Of course, it is best to err on the side of caution, but it will be interesting to see how the next few years will fare as the GDPR legislation settles down.

ePrivacy Regulation - Further legislation in the pipeline
The new legislation will probably not end with the GDPR and DPA 2018 with the EU’s new e-Privacy Regulation expected in the not too distant future. Depending on what happens with Brexit this is expected to replace the UK’s existing Privacy and Communications Regulations and readers will be interested to see how this affects their businesses, for example around email marketing.

If you would like any information relating to any legal aspect of running your business, contact Downs Solicitors to see how we can help.

Richard Clapham

Richard Clapham


Tel: +44 (0) 1483 411531

Office: Godalming Office