GDPR: a year on


In the lead up to the introduction of the GDPR regulations in May 2018, it felt like we were on the brink of something catastrophic. Inboxes were being flooded with messages saying, ‘are you prepared’, ‘are you ready for the impending deadline?’, ‘the clock is ticking’. This caused panic among businesses.

Marketing, communication and PR departments were rushing about putting last minute procedures in place and drafting consent forms which provide consent to signing consent forms. Data officers were outlining policy after policy in a bid to ensure their company wouldn’t be fined £3 billion
(or something more reasonable) by the data regulators. And bloggers were writing posts pretending to know what you had to do to avoid destroying your business when the regulations came in, even though no one had any real idea what the rules of the confusing new world were.

We all held our breath and waited for the ever-impending doom the new data protection regulations would have on our practices. But 25 May came, and we survived. People came out from under cover to see that the world was alright after all. I continued to receive emails from random businesses I have never had any dealings with in the past or in some cases even heard of. The family home still receives automated phone calls about help with cleaning the oven (which I took them up on).

The lack of any real change on a day-to-day basis had me thinking, how much has really changed since the new regulations came into play? Are businesses playing by the new rules and processing our data efficiently and securely? Are they being transparent about what they are doing with our data? And most importantly, where can I find a good oven cleaner?

To celebrate GDPR’s one-year anniversary (sorry, I couldn’t invite you to the celebration without breaking regulations), we took a look back at how GDPR has impacted businesses in its first year.

First prize goes to

It wasn’t till late September in 2018 that a story broke of a business receiving the first formal notice from the UK’s data protection watchdog. AggregateIQ (AIQ), a Canadian analytics firm which carried out work for Vote Leave, was accused of processing people’s data for ‘purposes which would not be expected.’

The company has also been linked to Cambridge Analytica, who has been credited (is that the right word?) with helping Donald Trump win his presidency in 2016. So AIQ hasn’t had the best publicity lately and it will be interesting to see if any more comes of its GDPR notice.

Underneath the surface, GDPR cases have been building and when you look across Europe there has been a few significant cases opened and a few businesses have had their fingers burnt.

French regulator CNIL fined Google €50 million for not being explicit enough when collecting consent. Privacy Advocate Max Schrems’ non-profit, None of Your Business (NOYB) is taking eight internet companies to court in Austria for ‘Right to Access’ violations.

Household names breaking the rules?

In mid-January this year, a number of high-profile entertainment companies were accused of breaching EU data regulations, when some members of NOYB requested a copy of their data. Amazon, Apple, Netflix, Google and Spotify – five household names – were some of the businesses contacted.

According to a BBC article, NOYB believed many of the entertainment companies did not comply with GDPR regulation, in particular the rule that states EU customers have the right to access a copy of the personal data companies hold about them. This data must be clear and easy for someone to read.

If any of these businesses are found to be guilty of breaking GDPR rules, then they will face huge fines which could set a precedent for any businesses who still aren’t complying with the data regulations when operating in the EU.

It would appear that many businesses are claiming they are GDPR compliant without in fact following through – which probably isn’t surprising to many. It will be interesting to see over the next year how many businesses, big or small are faced with complaints and slapped with fines that could have a real impact on their business. It would appear ‘doomsday’ is on its way for those who aren’t compliant.