What we’ve learned about the GDPR in its first year

This time last year, organisations were scrambling to meet the compliance deadline for the GDPR (General Data Protection Regulation), people’s inboxes were flooded with last-minute pleas for consent and social media was rammed with GDPR memes. 

Twelve months later and the commotion surrounding the Regulation has calmed, but its impact remains. In this blog, we look at the effects the GDPR has had and assess the future of the data protection landscape. 

1. Organisations have struggled 

The biggest lesson to be learned is that organisations weren’t prepared for their new compliance requirements, and many are still struggling to implement the necessary measures. 

This can partly be credited to organisations’ mistaken belief that the GDPR didn’t apply to them or didn’t require much work to address. Deloitte study released a few months after the GDPR took effect found that only 34.5% of organisations could demonstrate compliance. 

Another third said they hoped to be ready by the end of 2018, but the number that actually did is almost certainly much lower, as awareness of the full extent of the GDPR’s requirements remains low. For example, a significant number of apparently compliant organisations have simply updated their privacy policy, when this step should have been the final part of a comprehensive review of their data protection practices 


2. Compliance failures will be punished

Much of the early discussion about the GDPR focused on the disciplinary powers it gave to supervisory authorities, with the most egregious compliance failures attracting fines of up to €20 million or 4% of an organisation’s annual global turnover – whichever is higher. 

Some speculated that supervisory authorities would lay down the law early, issuing big fines to force organisations into compliance. Others thought the disciplinary powers were a scare tactic, and took a wait-and-see approach to whether the cost of compliance was worth it. 

Although relatively few fines have issued so far, that’s largely because the supervisory authorities are still working their way through a backlog of data breaches related to incidents that occurred before the GDPR took effect. 

But we know from the fines that have been issued that they won’t hesitate to levy strong penalties. In January 2019, Google was fined €50 million by the CNIL, France’s data protection regulator, for neglecting transparency requirements and failing to obtain a lawful basis for processing. 

Likewise, Portugal’s Data Protection Commission (Comissão Nacional de Protecção de Dados) fined a hospital €400,000 after an employee gained unauthorised access to patient data. 


3. Fines haven’t been handed out freely

The other concern about the GDPR’s disciplinary powers was that every minor violation or data breach would lead to a crippling fine that would put the non-compliant organisation out of business. 

Although many GDPR sceptics worried about this, most experts didn’t think this would be the case, and they’ve been proven right. The majority of GDPR investigations have resulted in either no financial penalties or a proverbial ‘slap on the wrist’. 

That’s not to say those organisations escaped punishment. Supervisory authorities have disciplinary powers besides fines, such as enforcement actions. This involves an investigator pointing out the areas in which the organisation’s GDPR compliance practices fall short and demanding that they be rectified by a deadline. 

This action is preferred in most cases, because it’s the most practical. GDPR compliance costs money, and if you fine an organisation for failing to comply, it will struggle to find the resources to correct the problem.


4. People are more aware of their rights than ever 

The GDPR isn’t only about enforcing stricter data protection measures. It’s also about protecting individuals privacy and making them more aware of their rights. 

In that regard, the GDPR has been an overwhelming success. Even organisations that have done little more than update their privacy policy have helped individuals see how their personal data is being processed. 

In turn, this has helped individuals query processing activities that they are unhappy with or want to learn more about. The European Data Protection Board found that there were 94,622 data protection complaints in the first nine months of the GDPR’s application. 


5. The data protection landscape remains muddy 

For all the positive changes that the GDPR has brought, there’s not yet any clear evidence that organisations are more secure than they were a year ago. In fact, according to the Irish Data Protection Commissioner’s annual study, there was a 70% increase in in reported data beaches across Ireland in 2018. 

This doesn’t mean that there was a spike in data breaches. It simply means that, with the GDPR’s new data breach notification requirements, a lot more incidents are being reported. While this is obviously a good thing in terms of transparency, it gives the impression that personal data is at greater risk than ever. 

As organisations strengthen their GDPR compliance, the number of reported data breaches should dropThose numbers will also improve as organisations gain a better understanding of their new obligations. 

For example, experts believe that many organisations are currently too anxious to comply with the GDPR and are reporting incidents that don’t qualify under the Regulation’s notification requirements. Learning what needs to be reported and what doesn’t will therefore clear up the data protection landscape and give a more accurate reflection of the GDPR’s positive effect. 


Where should organisations go from here? 

If we’ve learned anything about the GDPR in the past year, it’s that organisations still need to prioritise their compliance efforts. Whether you want to avoid breaches and disciplinary action, protect your customers’ privacy or make sure you are only reporting incidents when necessary, it’s essential that you review your data protection practices. 

Our GDPR Starter Bundle is ideal for anyone looking to build a framework for compliance. It contains everything you need to assess your compliance posture, document your practices and teach staff about their data protection responsibilities. 


GDPR Starter Bundle email banner - 7 day trial


  1. ADRIANNE PEAT 28th May 2019
    • Jessica Belton 29th May 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.