GDPR – What have we learnt 2 years on?

General Data Protection Regulation came into force in the UK on 25 May 2018 and was enshrined in the Data Protection Act 2018 (with some slight modifications including on enforcement action). GDPR was originally published in 2016 so there is an argument to say organisations and businesses have had four years to get their data protection systems and policies in order; although we still see some businesses shriek at the sound of the infamous four characters.

Almost 18 months after its enactment, the Information Commissioner’s Office (ICO) have successfully prosecuted its first victim under the Data Protection Act 2018. A pharmacy based in London was fined £275,000 in December 2019 for keeping 500,000 documents in an unlocked cabinet in a warehouse containing the medical records of patients.

Across the channel, in France, the French data protection regulators CNIL fined Google a record €50 million after lacking transparency and accessibility with its users, and a sheer lack of informed policies regarding consent on how their data is used.

Although now, just over 2 years on, there has still been proportionately very little enforcement action under the DPA 2018; with most of the prosecutions being brought under the DPA 1998. One of the reasons could be lack of resources the ICO can pump into its enforcement arm, together with many months (even years) of thorough investigation.

Since May 2018, there have been an increasing number of reported data breaches as well as an increase of subject data access requests, which was likely influenced both by the publicity surrounding GDPR when it came into force as well as by the GDPR abolishing the fee for people to exercise their data subject rights. This has allowed (although some businesses were reluctant) businesses to bridge the gap with its customers so they are fully aware of how their data is used.

It should be expected that enforcement action under the DPA 2018 will start to bloom in the years to come, especially with an ever-increasing modernised world and the heavy reliance on the internet which all businesses, even the tech giants, use to generate their income. All businesses, no matter the size, can be in the ICO’s firing line so it’s better to get on top of everything now before the fines and notices start building up and making the local news.

For more information on how Chadwick Lawrence’s Regulatory team can help you become GDPR and DPA 2018 compliant we can: draft bespoke policies, host practical training sessions for your staff, conduct audits and data protection impact assessments for your system and business and assist you with complying with data subject’s requests, call us on 01484 519 999 or email nicholasworsnop@chadlaw.co.uk or harveyblake@chadlaw.co.uk .