GDPR: What Have we Learned One Year on?


A year after the European Union brought in the General Data Protection Regulation (GDPR), you might be wondering what all the fuss was about.


There have been a few big fines but not the massive 4% of global turnover that some scare stories predicted.

And consumers seem to have noticed little change other than having lots more terms and conditions and privacy policies to agree to before cracking on with enjoying app or web content.

But this would be a dangerous misapprehension.


Data regulators are only just getting going.

French data regulator CNIL recently imposed a €50m (£44m) fine on Google for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" - Google is appealing.

Spain's data protection agency (AEPD) fined the country’s football association La Liga €250,000 because its app did not seek enough consent from users before activating the phone’s microphone and location services in an attempt to pinpoint exactly which bars were showing matches without a license.

And the Republic of Ireland’s Data Protection Commission (DPC), the data regulator for many of the world’s consumer-facing tech giants, has launched 19 statutory investigations already, 11 of which focus on Facebook, WhatsApp and Instagram.

Twitter, LinkedIn and Google are also under investigation.

The DPC may reach decisions on some cases by as early as July or August, with final rulings – after all other EU member data protection regulators have had their say - by the end of the year.

 “While enforcement has been limited to date, it is still early in the life of the regulation,” warns Paul Jordan, managing director of the International Association of Privacy Professionals Europe. “Expect enhanced frequency of activity in 2019 and going forward.

“Any grace period afforded organisations in this nascent timeframe is truly at an end.”

Expect more hefty fines to come.


And while it may seem that most consumers are just blithely agreeing to new terms and conditions without reading them, plenty of others it seems are taking their new rights very seriously, whether that’s demanding to see what personal data companies hold on them, or questioning whether firms obtained consent to use their data correctly – implicitly or explicitly. 

Europe-wide the number of data and privacy-related complaints has soared to nearly 150,000, according to the IAPP.

And regulators in the EU’s 28 nations have reported receiving more than 280,000 cases so far, whether complaints from individuals and businesses, or data breach notifications.


That data must be easy to understand and should also be presented in a machine-readable format, so that a customer could transfer all their data to a competitor.

We can ask for any incorrect data to be corrected or for the whole lot to be deleted if we want – the so-called right to be forgotten.

And companies have a responsibility to keep our data safe. If any is stolen or unwittingly shared with unauthorised organisations - and this could pose a risk to people's rights and freedoms - companies have to inform the national data regulator within 72 hours.


Most app and website developers should already know the basics, but here’s a recap of the cardinal rules to consider:

  • Take a “privacy first” approach to design

  • Only store personally identifiable data if you really need to

  • Encrypt data in transit and at rest

  • Make sure you can easily retrieve, delete or anonymise customer data

  • Always obtain consent before communicating with users for the first time

  • Be ready to demonstrate what measures you’ve taken to become GDPR compliant

  • Make sure your cyber-security is bang up-to-date to prevent hacker attacks

  • Never assume that data regulators will only be concerned with the big firms.


There are plenty of sources of advice on data protection authority websites. And a whole host of companies, from cyber-security specialists to data privacy lawyers, are falling over themselves to offer advice – at a price.

The Brussels-based European Data Protection Board, which is responsible for ensuring GDPR rules are applied consistently throughout the EU, understands that organisations need more help and guidance, so Data Protection Authorities are continuing their various education projects, on subjects as varied as the distinction between data controller and processor, to how children’s data specifically should be handled.

But be warned: ignorance of your responsibilities will no longer be seen as any defence.

Megan Dickie