The GDPR Journey | How was GDPR for you?

After the GDPR journey came the GDPR deadline. This came and went and the world didn’t end. Some people asked me why there wasn’t a transition phase to get ready in time. I responded that they were in the transition phase as the law actually changed in April 2016. A plethora of organisations scrambled to update their systems and processes before GDPR became enforceable on 25 May 2018.


Those dreaded emails

Many took this to mean they had to send lots of emails to their database requesting users to opt back in. Some didn’t distinguish between users who had given permission already and those who hadn’t. Or between existing clients and potential clients. Or personal and business users. If they had, they could have saved a lot of unsubscribes by those too lazy to click the button. Or people like me: I simply used it as an opportunity to reduce the amount of spam I receive. In some ways, perhaps it was a good exercise. Those people who actively clicked to give permission are exactly the users the organisations want. I’m waiting to see if the Information Commissioner’s Office will end up handling complaints from people annoyed at receiving emails from organisations they had never given their permission to in the first place.


Higher fines? Not yet

GDPR created fear because of the steep rise in fines. Before the GDPR journey began, the most severe fine in the UK was £400,000, which is 80% of the maximum. Fines could now go up to €20,000,000 (about £17m) or 4% of annual global turnover, whichever is higher. This is something businesses want to avoid. The ICO has continued to issue fines after 25 May. This includes Yahoo! (£250,000) after a cyber-attack compromised their network (in 2014) and Gloucestershire Police (£80,000) for revealing identities of abuse victims. But these are under the old law and we still await the first GDPR fine.


Cambridge Analytica & Facebook

I had thought Cambridge Analytica would be one of the first. Most people know about this story. Cambridge Analytica took personal information from more than 50 million Facebook profiles and used it to build a system that could target US voters with personalised political ads based on their psychological profile. Employees of Cambridge Analytica, as well as the suspended CEO Alexander Nix, were even filmed boasting about using several dirty tricks to swing elections around the world. The Information Commissioner has been investigating it, assigning 40 or more people. Some say this is the largest investigation ever undertaken by a data protection authority. Of course, because GDPR became law in April 2016 any breaches since then could lead to a new, higher fine. Maybe it’s no coincidence that Cambridge Analytica has shut down.


The GDPR journey and Brexit

For a while, people were confidently telling me that Brexit meant we could abandon GDPR. I told them they were wrong on two counts. First, the GDPR journey started and would be in force before Brexit. That’s now happened. Second, even after Brexit, if the UK wants to send and receive personal data with its EU neighbours, it will have to adhere to GDPR. The key issue about Brexit is that the UK will have little influence over any possible changes to GDPR or other data laws. Recognising the importance of data flows, the UK asked for a special deal. The EU Commission rejected this. Brexit means Brexit after all. So, we will have to follow GDPR but won’t be able to lead on it. Also, if the European Court issues rulings on GDPR, can the UK Supreme Court realistically ignore them and come to a different conclusion? The other factor to consider is whether the broad powers under the Snooper’s Charter – or the Regulation of Investigatory Powers Act to use its proper title – will mean the UK is not deemed to provide adequate protection for data transfers. This will lead to Privacy Shield style negotiations for the UK. And that will keep Max Schrems busy for even longer!

+ posts

Meet Stella


Related articles

The Metaverse: Virtually a reality?

Metaverses have the potential to enable virtual worlds to expand beyond the gaming genre to encompass all manner of social and commercial activities.

Cybersecurity and Cloud: A Look Back at 2022 and What to Expect in 2023

Businesses are continuously reassessing their resources and options to fill their tech stack. In this competitive digital landscape, the innovative use of technology will be something that would generate a competitive advantage for organisations.

Shopping for Data: Ensuring a seamless user experience 

This combination can drive a business’s data culture and provide a structured approach for businesses to benefit from data intelligence across their operations, with only a few clicks.

Unveiling the Top 10 Cybersecurity Threats to Watch Out for in 2023

As technology advances, so do cybercriminals' methods to gain unauthorised access to sensitive information. With the increasing reliance on technology in both personal and professional settings, it is crucial to stay informed about the top cybersecurity threats to watch out for in 2023.

Is sustainability ‘enough’ from a Cloud perspective?

The idea of uprooting entire sustainability initiatives that took years to formulate and deploy is unsettling for businesses but, in truth, it doesn’t have to be so revolutionary.

Subscribe to our Newsletter