Happy Birthday GDPR

Authored by Maria McCoy
Head of Data Governance and Compliance
May 25 2019

The European Union’s General Data Protection Regulation (GDPR), celebrated its first birthday on May 25th 2019 and has had a significant impact on the global landscape of personal data protection.
Some of the key points of the legislation include:

Companies must provide visibility and transparency to data subjects, about how their data is being used

Companies must reveal any known data breach within 72 hours

Companies must be able to evidence that that they have proper controls in place for secure processing and transfer of personal data

Penalties for non-compliance could cost the organization upwards of €20 million or four per cent of global annual revenue, whichever is higher

Some facts about the last 12 months

Data breach reporting has dramatically increased. According to DLA Piper, there have been more than 59,000 personal data breaches notified to regulators up to January this year. The Netherlands, Germany and the UK had the most data breaches notified, with around 15,400, 12,600 and 10,600 respectively.


Complaints have also increased. An assessment from the European Data Protection Board showed the total number of cases reported by supervisory authorities from 31 countries in the first nine months, consisted of 94,622 complaints.


To date, 91 reported fines have been imposed under GDPR, totalling €55.96m, but the bulk of this was due to the €50m fine to Google, from the French data protection authority.


There has been a global ripple effect with new data protection laws being brought in to regions such as Canada, Brazil, California and Bahrain. Serbia, Jersey, Peru and several other countries have also amended their existing data privacy laws to align with GDPR.

Some insight for the next 12 months
2018 was a transition year. It takes 12 to 18 months to investigate cases and the last year has mostly focused on legacy investigations. Irish and UK authorities have hinted that a large fine is coming soon.
Perhaps a greater concern is risk of private litigation. Under the GDPR, individuals are able to file claims for "material or non-material damage" as a result of a breach, so a massive growth in privacy litigation is expected. One airline has already been threatened with a £500m class action lawsuit in a UK court.
The supervisory authorities are feeling their way. The UK Supervisory Authority (ICO) are working with other data protection agencies to come up with a matrix for fairly assessing the magnitude of fines. This won't be public-facing but will form a "toolkit" for watchdogs.
Cyber-attacks are still on the increase and the impacts of data breaches can be dire - Research by Veritas Technologies found that 56% of consumers would dump a business that fails to protect their data, and 47% would abandon their loyalty and turn to a competitor.

Tips and advice

Openness and transparency are key – an easy to read privacy notice and clear communication of changes, goes a long way to build confidence in your business.


Take a back to basics approach: catalogue your data processes, risk assess your systems, produce a gap analysis, take action, train your people, and review.


How confident are you that you are compliant? If you have policies in place, do you have any evidence to prove they are being followed?  Building that evidence trail is crucial to protect your business against fines and litigation.




With very few big fines in the initial period, some companies are becoming complacent. An annual audit from an independent third party will combat complacency and create a clear plan for continuous improvement.