Procurement · 11 January 2019

8 months into GDPR: The journey so far and what businesses need to do in 2019

ICO officers raided Cambridge Analytica offices in March 2018
The General Data Protection Regulations (GDPR) came into force in May 2018, and eight months on the implementation of the law has been staggering.

From a business perspective, the changes made to existing or in some cases non-existing data protection policies and procedures were significant.

The media has given this topic a lot of attention over the last eight months which has helped raise awareness among individuals, giving them more power to control how their data is used and to hold businesses to account for their actions. Whilst the spirit of the regulations is clear, the work involved for businesses and the means by which this tool could be used is causing many concerns and, in some cases, a detriment.

The media has reported that there was a significant increase in data breach notification to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, since the law came into force. This is not a surprise given that individuals, some from a consumer point of view, are more aware of their rights and holding business to account.

There appears to be a simple explanation for this. Days where companies which collected and processed large amounts of customer data were being subject to more leaks and cyber-attacks. This, in turn, was harming their customers because their data was being taken and used by criminals for fraud often causing financial harm and distress to those whose leaked data was being abused.

Other examples include companies tasking customer data and passing this on to third parties. Often the customer would not have consented to this. This manifested in cold callers continuously calling individuals about services or products they were not interested in. Just think about the number of calls the average consumer receives about PPI or accident claims. Did they actually recall providing their personal details to the company who is making the call? Most likely not. So then ask this question, how did they obtain my data?

As a firm of solicitors, we have experienced individuals challenging businesses regarding their data; we have had client’s former employees using business data in breach of GDPR, placing our client in potential breach; we have seen confusion over opting in and out; misunderstanding on what data you are permitted to hold and share; service providers contracts are out of date and the sale of data and companies flagrantly breaches the spirit of the GDPR.

Be prepared and be ready

Leading up to the introduction of GDPR, there was a simple message: Get ready for the changes by 25 May 2018 or face the prospect of heavy penalties! However, we have not seen a volume of UK court cases or ICO public enforcement notices as expected.

The UK regulators have gone into Canada’s Aggregate IQ and given them the first GDPR enforcement notice, giving the company 30 days to comply with data regulations or face a fine of up to 20 million. This is currently going to appeal. However, everything else seems very quiet and calm… Could there be a storm looming?

The ICO are suffering from extreme over-notification of data breaches. In September 2018, the Deputy Information Commissioner remarked:

“Some controllers are ‘over-reporting’: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported…



GDPR watchdog tells small businesses: We are not looking for perfection?

The ICO has now appealed to fears with words of reassurance for small business owners on the day of GDPR’s legal enforcement.


What should businesses be doing?

Businesses should continue to be GDPR compliant as we suspect change will come and come fast as many lawyers for potential claimants are gearing up for UK Court action. Individuals will be aware of the “Morrisons Appeal” has been upheld and claimants are reporting breaches daily.

Businesses need to have their processes and policies in place, systems checked and monitored and a record available for any breaches should they need inspection, so they can demonstrate compliance.

The Ticketmaster breach is clearly grounds of why data security is as important as to why our data is retained, for what purpose and for how long. This breach affected customers buying tickets between September 2017 and 23 June 2018, so spanning over two data protection acts; the Data Protection Act (DPA) 1998, and the Data Protection Act (DPA) 2018 the latter being the UK’s version of the EU’s General Data Protection Regulation (GDPR). Which will prevail is currently under review, but there are numerous breaches, including:

  • Unauthorised access
  • Failure to put in place robust technical measures to protect data
  • Not having adequate internal policies, procedures and internal organisation
  • Possibly failing to report a breach within sufficient time



Karen Holden is an award-winning solicitor and founder of A City Law Firm (ACLF), the go-to lawyers for entrepreneurs, startups, scale-ups, those seeking investment. In addition to being very successful lawyers for businesses , ICOs and family law, ACLF are now the UK's leading LGBT law firm and surrogacy specialists. Karen is a regular media commentator, panellist and event speaker.