Strategy & LeadershipBusiness TransformationGDPR: One year on and where’s it gone?

GDPR: One year on and where’s it gone?

It's now been a year since GRPR came into force. Lesley Holmes, Data Protection Officer at MHR, explores the lessons learned over the past year and the risks businesses will encounter in the future.

GDPR was the hot topic of 2018, but what now? Nobody seems to be talking about it, but it hasn’t gone anywhere.

As GDPR drew closer, there were rumours of multi-million-pound fines and people being sued over broken rules or misunderstanding what GDPR meant…so did it happen?

Well kind of, yes.


Straight after GDPR got going, one self-styled ‘data freedom activist’, Austrian Max Schrems, sued Google, as well as Facebook and its subsidiaries (which include Instagram and WhatsApp), to the tune of almost $4 Billion.

Officially, three complaints worth 3.9 Billion dollars were filed against Facebook, WhatsApp and Instagram respectively via data regulators in three different EU countries. As well as this complaint, French data protection authority CNIL filled a separate claim for 3.7 billion relating to Google’s Android operating system for Android, showing wide concern around Googles practices.

The CNL claim was a breach of regulations (rather than data) as Google was accused of not respecting the rights of people to choose how their data is shared when they create an account. CNIL didn’t enforce the penalty for this ultimately, but if Google don’t clean up their act, chances are other authorities will be less generous with their own actions in future.

Despite legal challenges form governments, Schrems made most of the headlines, himself stating that Google was breaking the rules with an ‘all or nothing’ policy, which did not allow users to select preferences, one man took on a behemoth, confident GDPR gave him the backing he needed for success in a legal landmark.

While he was not that successful financially in the end, the case may lead to changes in the way Facebook can use data in Europe still, and remember this is just one man rather than a large organisation or government against Google – which one man almost won.

After Schrems took on Google, more problems were round the corner for the tech giant.

Despite the Irish Government asking Google to make amends in areas they were seen to be falling short of GDPR compliance (Google’s international office is in Ireland), the French Government were quick to take charge when they didn’t do this.

The result? A fine of 57 Million Dollars.

What's Hot

HRD Roundtable Report: Levelling Up Onboarding for the Hybrid World

Roundtable Report HRD Roundtable Report: Levelling Up Onboarding for the Hybrid World 5 May 2022

10m

HRD Roundtable Report: Levelling Up Onboarding for...

Attracting new talent is shooting up the priority list, but also proving more difficult than ever. A...

View event
HRD Roundtable Report: Redefining Company Culture in Hybrid Work Environments

Roundtable Report HRD Roundtable Report: Redefining Company Culture in Hybrid Work Environments 26 May 2022

10m

HRD Roundtable Report: Redefining Company Culture ...

The process of redefining a company culture is a complex one. Culture contributes directly to the da...

View event
Learning to win the talent war: how digital marketing can develop its people

Whitepaper | Talent Development Learning to win the talent war: how digital marketing can develop its people

10m

Learning to win the talent war: how digital market...

This report documents the findings of a Fireside chat held by ClickZ in the first quarter of 2022. I...

View resource
HRD Roundtable Report: Strategies For Re-Engaging The Hybrid Workforce

Roundtable Report HRD Roundtable Report: Strategies For Re-Engaging The Hybrid Workforce 5 May 2022

11m

HRD Roundtable Report: Strategies For Re-Engaging ...

We know hybrid working is here to stay, forcing many organisations to experiment with innovative and...

View event
HRD Roundtable Report: Making it ‘Worth It’ – What We Need to Reward, Engage and Retain

Roundtable Report HRD Roundtable Report: Making it ‘Worth It’ – What We Need to Reward, Engage and Retain 3 March 2022

11m

HRD Roundtable Report: Making it ‘Worth It’ – What...

We know the pandemic has caused many people to revaluate their careers and relationships with work a...

View event
Dave Ulrich: How can business and HR leaders simplify complexity?

Leadership Development Dave Ulrich: How can business and HR leaders simplify complexity?

1y Dave Ulrich

Dave Ulrich: How can business and HR leaders simpl...

HR thought leader Dave Ulrich outlines ways leaders can deal with complexity in an increasingly busy...

View article
HRD Roundtable Report: Using HR Data to Inform Organisational Decision Making

Roundtable Report HRD Roundtable Report: Using HR Data to Inform Organisational Decision Making 5 May 2022

11m

HRD Roundtable Report: Using HR Data to Inform Org...

Historically, HR hasn’t been as effective as it could be in sharing and communicating data with wide...

View event
Digital transformation investment grows but critical skills gaps remain - Coursera report

Digital HR Digital transformation investment grows but critical skills gaps remain - Coursera report

1y Leah Belsky

Digital transformation investment grows but critic...

Covid-19 has accelerated the rate of digital learning on a global scale. Coursera's latest report pr...

View article
Wellbeing in the hybrid workplace: how to successfully drive engagement

Employee Engagement Wellbeing in the hybrid workplace: how to successfully drive engagement

1y Alara Basul | Sponsored

Wellbeing in the hybrid workplace: how to successf...

Remote working has impacted the way we communicate as a workforce, but striking the right balance be...

View article
How to create a company culture capable of empowering the modern workforce

Culture How to create a company culture capable of empowering the modern workforce

1y Alara Basul | Sponsored

How to create a company culture capable of empower...

While new working patterns that emerged from the pandemic have earned a permanent spot in the w...

View article
WATCH: Connection and collaboration in a hybrid workplace

Leadership Learnings WATCH: Connection and collaboration in a hybrid workplace

1y Amy Kirkham

WATCH: Connection and collaboration in a hybrid wo...

Alison Noon-Jones, VP of People & Culture at Leidos UK & Europe, shares how crucial employee engagem...

View article
Turbulence ahead: Why it’s time to be bold in your leadership

Leadership Development Turbulence ahead: Why it’s time to be bold in your leadership

1y Terence Mauri

Turbulence ahead: Why it’s time to be bold in your...

HRD thought leader and Hack Future Lab founder Terence Mauri sets out why the biggest risk to leader...

View article

The result of complaints of two NFP organisations, this fine is very big, there can be no argument around that. Only the thing is, many feel that there can be.

As GDPR-eve was upon us last year, in the last few weeks and days before GDPR took effect, there were rumours that businesses who ignored the warnings would be expected to pay 2-4% of their annual turnover for a major fine. So if Google did this, they’d be looking at a fine of around 2.5 to 5.1 billion (yes, billion!) US dollars. A fine like this, almost surreally makes 57 million pounds look like loose change.

What was the first year of GDPR like?

95,000 people have complained so far over potential breaches, but these have rarely meant legal action, so it seems people are happy for legislators to do the work for them in most instances.

Despite the complaints, it does in fact seem that companies are acting responsibly when self-governing, as businesses have already reported 41,000 potential breaches as of January 2019, a figure which is set to rise, but don’t worry; it’s better for both consumers and businesses that breaches are reported than swept under the carpet.

And that’s just the UK. Across Europe during the same period, 59,430 breaches were reported, displaying consistency among businesses.

Despite most businesses reporting responsibly, at least 91 fines had been issued at the start of 2019, with 60 fines coming from Germany alone. Most those fines related to 2018, which was described by the French data protection authority (CNIL) as a transitional year ‘intended to allow businesses to understand and implement what the GDPR requires’.

This seems to be something businesses are well aware of. As on May 25th 2018 only half of companies reported as self-compliant, despite two years of time to prepare for the new legislation. This may be a lack of preparedness, but if it’s complacency, then the future may be a shock for a lot of people at the business end of hefty fines.

What risks will businesses encounter in the future?

If 2018 is a transitional year, then any date after that must be taken far more seriously, as there has now been plenty of warning and the big fines are starting to mount.

The ‘low’ fine given to Google may be an indicator of a transition to much bigger fines, or it may be a politicised decision as we will discuss in a moment.

The fact remains that organisations can and will be given huge fines by data protection authorities if governments feel they are losing control, or that people have inadequate protection, especially as failing to meet the appropriate requirements for technical and organisational security may lead to major hacking; and data controlled by the state being misused as well.

WhatsApp, much lauded for its state-of-the-art encryption, was hacked recently so the theft of data is something we should be worried about. The circumstances too were concerning, as the hackers were able to infect devices by simply dialling the number, even if unanswered, and then erase the call log.

This was resolved quickly in this case and the group (Facebook own it) were very open about what had happened, but mishandling a situation like this is likely to incur the wrath of the EU and the UK, who do have very real legislative power.

As well as the full remit of state-led fines and punishments, individuals may, like (but not limited to) Schrems; decide to sue organisations directly. This is the norm now in the US and many social commentators feel we’re not far behind, suggesting a very large can of worms could be flying open very soon, with disastrous consequences for negligent businesses; or just those who are still (still!) unclear what the impact of GDPR means – though what is already clear is that the future will include many more class-action lawsuits.

What’s the bigger picture for GDPR?

Big data is big business and those who hold a lot of data are fast becoming the new oil barons, such is the value of data.

This ownership is losing value under GDPR, as it is harder to just harvest and use data freely for maximum profit, without receiving a penalty as a result. This should always be the case. GDPR has been brought in exactly for the purpose of reducing irresponsible data use.

While the UK government have more or less implemented a cookie-cutter copy of the existing EU legislation despite the Brexit vote, changes will come in the future if it seems the legislation is not right for Britain.

Some commentators have claimed there may be a so-called ‘Brexit light’, letting big businesses get away with more to stimulate the economy, but very few people feel that this will happen. Another reason this might not work too well, is that when you consider that EU GDPR rules will apply to data we share when trading with EU businesses, it will be important to respect data laws; but the future will include a lot more GDPR debate either way.

Whatever the future holds, being responsible with data is still advised as the story of GDPR has not yet truly been written – we’re still on the first page.

Lessons we can learn from GDPR so far?

As we see it’s been an eventful year, but what are the main things to consider now? Here are our top five tips:

1. Did you prepare for GDPR? If you didn’t it’s not too late to make changes, if you did…can you do it better?!

2. With many businesses being let off in the initial period, some businesses are becoming complacent – make sure you are not one of them! Make sure you have regular reviews of your data and if you are big enough to have a dedicated team, make sure you use them. This ensures continuity in everything you do and if you don’t have a team to do this, allocate a data controller and/or speak with your DPO or similar.

3. Are you doing the right thing? If someone decides to sue you for a breach or mishandling of data, then you can relax a lot more if you know you did everything within your power to process your data responsibly and compliantly. Bear in mind though, a thousand employees claiming they have had their rights and freedom

impinged could cost a business in the region of £1.2m if they take out a class action (and win). The complaints can add up so don’t let them happen.

4. Make sure you’ve used all the tools at your disposal and take a back to basics approach: Know your data flows, assess, your operations, produce a gap analysis, take action and then review. Simple but effective.

5. Make sure that you are open and transparent about what you are doing with people’s data and why. A simple privacy notice that is easy to read goes a long way to help understanding and build confidence at your business

Comments are closed.

What's Hot

HRD Roundtable Report: Levelling Up Onboarding for the Hybrid World

Roundtable Report HRD Roundtable Report: Levelling Up Onboarding for the Hybrid World 5 May 2022

10m

HRD Roundtable Report: Levelling Up Onboarding for...

Attracting new talent is shooting up the priority list, but also proving more difficult than ever. A...

View event
HRD Roundtable Report: Redefining Company Culture in Hybrid Work Environments

Roundtable Report HRD Roundtable Report: Redefining Company Culture in Hybrid Work Environments 26 May 2022

10m

HRD Roundtable Report: Redefining Company Culture ...

The process of redefining a company culture is a complex one. Culture contributes directly to the da...

View event
Learning to win the talent war: how digital marketing can develop its people

Whitepaper | Talent Development Learning to win the talent war: how digital marketing can develop its people

10m

Learning to win the talent war: how digital market...

This report documents the findings of a Fireside chat held by ClickZ in the first quarter of 2022. I...

View resource
HRD Roundtable Report: Strategies For Re-Engaging The Hybrid Workforce

Roundtable Report HRD Roundtable Report: Strategies For Re-Engaging The Hybrid Workforce 5 May 2022

11m

HRD Roundtable Report: Strategies For Re-Engaging ...

We know hybrid working is here to stay, forcing many organisations to experiment with innovative and...

View event
HRD Roundtable Report: Making it ‘Worth It’ – What We Need to Reward, Engage and Retain

Roundtable Report HRD Roundtable Report: Making it ‘Worth It’ – What We Need to Reward, Engage and Retain 3 March 2022

11m

HRD Roundtable Report: Making it ‘Worth It’ – What...

We know the pandemic has caused many people to revaluate their careers and relationships with work a...

View event
Dave Ulrich: How can business and HR leaders simplify complexity?

Leadership Development Dave Ulrich: How can business and HR leaders simplify complexity?

1y Dave Ulrich

Dave Ulrich: How can business and HR leaders simpl...

HR thought leader Dave Ulrich outlines ways leaders can deal with complexity in an increasingly busy...

View article
HRD Roundtable Report: Using HR Data to Inform Organisational Decision Making

Roundtable Report HRD Roundtable Report: Using HR Data to Inform Organisational Decision Making 5 May 2022

11m

HRD Roundtable Report: Using HR Data to Inform Org...

Historically, HR hasn’t been as effective as it could be in sharing and communicating data with wide...

View event
Digital transformation investment grows but critical skills gaps remain - Coursera report

Digital HR Digital transformation investment grows but critical skills gaps remain - Coursera report

1y Leah Belsky

Digital transformation investment grows but critic...

Covid-19 has accelerated the rate of digital learning on a global scale. Coursera's latest report pr...

View article