General Data Protection Regulation: six months on

Six months ago, the UK was busy preparing for one of the biggest changes in Data Protection law. The European Union General Data Protection Regulation (or GDPR) came into effect on 25 May 2018 with the aim to bring the existing data laws into the 21st century. It turned the business world upside down and asked all organisations to be compliant to the law when handling personal data.

The new EU framework applied to all organisations across Europe and EEA. Designed to give consumers more control over their personal data, GDPR requires companies to provide better protection of personal data. Failure to do so will result in hefty penalties for organisations across Europe that don’t comply.

Any organisation found to be non-compliant with GDPR faced fines of up to 4% of their global revenue, or €20,000,000 – whichever is higher. For less severe incidents, the fine is reduced to 2% of revenue or €10,000,000.

The uptake of change within organisations varied. Many appointed Data Protection Officers and implemented processes to ensure they complied with the new regulations. However, for others, it has been a much slower process to implement change in order to remain GDPR compliant. Now six months on, the dust has settled but what has been the impact of GDPR so far?

What has changed since GDPR?

Since the start of GDPR, The Information Commissioners Office (ICO) have made 97 monetary penalties and issued 33 enforcement notices. According to new research from by London-based professional services firm RPC, fines for GDPR breaches has doubled to £146,000 in the last year alone.

Recently a £500,000 fine was issued for Facebook for serious breaches of data protection law. And in September, Equifax was fined £500,000 for failing to protect personal information of 15 million UK citizens during a cyber attack in 2017.

There have been a few changes to the GDPR law since it first launched in May 2018. The first came in September when the ICO made changes to organisations that were exempt from the law. They also expanded their guidance on making international transfers.

The ICO has also just released new updates to their guidance on encryption. Their aim is to help businesses understand the importance of encryption in order to protect the personal data that is currently held. It also provides further details on Article 32 security processing.

GDPR is a regulation that isn’t going to go away. Protecting user’s data and handling it in the correct way is vital for organisations to ensure they avoid a fine. According to PwC ‘Organisations need to focus on ensuring the GDPR compliance programmes and teams they built are really robust enough to transition to a ‘BAU’ world. This includes ensuring their teams are equipped with the legal and technical knowledge required to respond to technologically-savvy subject rights requests and enhanced regulatory scrutiny.’

GDPR is full of legal and technical challenges, with no margin for error. To find out how we can help your business meet the new challenges, talk to us on 01344 758700 or email us on


SIRE Technology Ltd

23 Wellington Business Park

Crowthorne, Berkshire, RG45 6LS


+44 (0) 1344 758700

Company Number: 02803958