10 December 2018

GDPR 6 months on

Why it's important for the management, within any organisation, to be continually switched on to the requirements of GDPR

I’m sure by now you are very familiar with the acronym GDPR. It’s been nearly six months since the General Data Protection Regulation was enforced within the UK and around Europe, but where exactly are we six months down the line?

It’s still too early to see what impact the new regulation is having on any organisation but what we do know is that the management within needs to be continually switched on to the requirements of GDPR given the day-to-day data processing activities that are being undertaken.

Data breaches

We continue to see examples of high profile data breaches – most recently British Airways and Facebook (again) come to mind – and it will be interesting to see how the Information Commissioner’s Office (ICO) treats these in terms of sanctioning given they are data breaches that have happened post the GDPR enforcement date.


Staying with potential penalties and the power that the ICO now have to issue these under GDPR, we are yet to see any large post-GDPR examples. Estimations are that given the investigatory lag that will entail any breach reported (especially following large data breaches such as the British Airways scenario) we are not expecting to see any post-GDPR penalties being announced until early in 2019, so we will continue to keep an eye out for these.

All penalties currently being issued by the ICO appear to relate to pre-GDPR enforcement where the maximum penalty under the old Data Protection Act was £500,000. If we take the recent Facebook breach that has materialised, they could be fined over £1 billion in comparison, which demonstrates the power that regulators now have.

In advance of the 25 May enforcement date, the ICO seemed to be taking a slightly softer stance in relation to organisations being fully compliant. They recognised that there were still a significant number of organisations that were actively working towards compliance and announced that as long as any organisation could provide evidence work was underway then the 25 May date was not deemed to be a ‘hard deadline’. It was very important, however, that any organisation that wasn’t ready by 25 May was able to provide this evidence to satisfy the accountability and transparency principles of the GDPR.

Accountability requirement

So as professional advisors, what are we seeing now, some six months later?

There’s still a significant number of organisations continuing to work towards full compliance, but very quickly we’re seeing a shift from ‘getting ready for GDPR’ to focusing on how to  satisfy the accountability requirement – that is, how you will ensure your organisation continues to comply with the regulation going forward.

Article 5 of the GDPR talks about the accountability principle. This is the part of the regulation every organisation will need to ensure they’re on top of and able to evidence, at least annually, going forward.

The responsibility of satisfying the accountability principle falls upon the assigned Data Protection Officer or, if one is not deemed necessary, the individual that has been allocated the responsibility of data protection within an organisation.

Every organisation will need to consider whether all policies, procedures and systems that have been introduced or amended are being adhered to and whether they are working effectively to ensure that your organisation continues to operate within the expectations of the regulation.

This means introducing a GDPR compliance project plan that incorporates appropriate testing and verification techniques, so at the end of the year management are able to assess what’s working well and what needs further improvement.

We’ve launched an outsourced offering of the Data Protection or Data Compliance Officer function, which includes the management and running of the ongoing GDPR compliance monitoring plan, but moreover enables the organisation to pass more of the responsibility of data protection to an outsourced provider. If your organisation doesn’t require our full outsourced service, we’re also able to provide the organisation with just our ongoing GDPR compliance monitoring service.

More regulation

If you thought that GDPR was enough, then think again – another regulation called; 'ePrivacy Regulation' is in discussion within the European Commission to finalise and enforce sometime in 2019.

The ePrivacy regulation will govern the protection of personal data in electronic communications and will apply to any organisation that provides any form of online communication service, uses online tracking technologies or engages in electronic direct marketing.

It will replace the current Directive 2002/58/EC which is the current UK regulation on Privacy and Electronic Communications and will carry penalties for non-compliance the same as GDPR, i.e. the greater of €20 million or 4% of annual global turnover.