Mark Williams, Corporate Finance Partner, reflects on GDPR one year on.

The General Data Protection Regulation (GDPR) and the introduction of the Data Protection Act 2018 has recently celebrated its first birthday so now seems an opportune moment to reflect on the first twelve months. A year ago your inbox will have been swamped with updated privacy notices, ‘opt in’ or ‘opt out’ questionnaires to complete and it is easy to think that now all of this has tailed off, it is business as usual and nothing has really changed from the old regime. However, the introduction of the new data protection regime twelve months ago was a starting point not the finish line….

Since its introduction the UK’s Information Commissions Office (ICO) has received more than 40,000 data protection complaints and over 14,000 personal data breaches have been reported.  This is an exponential rise compared to those received pre GDPR and may be partly due to an increase of the awareness of data protection.

Despite the increase in complaints and reports, the number of hefty fines in the first 12 months was very low and the regulators were criticised for this. However, there have been a couple of instances of headline grabbing breaches including the statement earlier this month that the ICO intend to fine British Airways £183m for data protection infringement. This related to a cyber incident notified to the ICO by British Airways in September 2018 whereby user traffic to the British Airways website was diverted to a fraudulent site where customer details were harvested by the attackers. Personal data of approximately 500,000 customers was compromised in this incident.  The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at BA including log-in, payment card and travel booking details as well as name and address information.

However, as the British Airways case demonstrates, these investigations take time and are often complex. The ICO has grown in size and capability and therefore we may well find that there will be more fines and enforcement notices being issued by the ICO as ongoing and new investigations reach a conclusion. 

The last piece of major data protection legislation lasted 20 years so in relative terms, GDPR and the Data Protection Act 2018 are in their infancy. The increased regulation and more stringent requirements represent a worldwide direction of travel in relation to data protection with draft legislation similar to that introduced by GDPR in the process of being introduced in major countries around the world, so it is only to mature and become more prevalent as time marches on. 

The period in the run-up to the introduction of GDPR via the Data Protection Act 2018 was an opportunity for businesses to undertake a housekeeping exercise into the data that they hold and the implementation of suitable policies. The first anniversary now presents the ideal moment to assess compliance with GDPR as it is never too late to improve on this. As Elizabeth Denham, the Information Commissioner, said in the BA case:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That is why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check that they have taken appropriate steps to protect fundamental privacy rights”.

This statement does not just apply to large multi-national businesses. It applies to every business. 

At Gaby Hardwicke, our specialist and experienced solicitors can provide you with data protection advice and prepare documentation to ensure that your business is fully compliant and you have in place robust policies to protect you.

For further details please contact:

Previous ArticleNext Article