DWF logo


DWF logo

            The GDPR: One Year On

            On 25 May 2019 the GDPR celebrated its one year in effect anniversary. In this article we will reflect on what we have learnt over the past year.

            Date: 31/05/2019


            Arguably the biggest fear of the GDPR for organisations was the potential fines, up to the greater of €20 million or 4% of annual global turnover. As the supervisory authorities have also been dealing with pre GDPR breaches over the past year, such as Facebook, Equifax and Uber, the full impact of the new fines remains to be seen. However, in a February 2019 report the European Data Protection Board (EDPB) revealed that since the GDPR came into force supervisory authorities across the EEA have imposed a total fine of €55,955,871. Notably the majority of this total fine was absorbed by Google. On 21 January 2019, Google received the largest fine under the GDPR, it was fined €50 million by the French data protection regulator, the CNIL, for 'a lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation'.


            Guidance on fines

            Going forward the EDPB has encouraged supervisory authorities to harmonise their approach to calculating and applying fines across the EEA. It intends to publish guidance to assist with this. In the absence of any EDPB guidance, on 14 March 2019 the Dutch data protection regulator, Autoriteit Persoonsgegevens, was the first supervisory authority to publish national guidelines on administrative fines. It's unclear when we can expect the EDPB's guidance but it's plausible that such guidance could draw inspiration from the Dutch approach. Please note however that any EDPB guidelines would override any national guidelines.  Interestingly the ICO mentioned at an IAPP conference in March 2019 that it's been working with the Dutch and Norwegian data protection authorities to develop a fining matrix. Ultimately these steps are a clear indication that fines are at the forefront of the supervisory authorities' minds, as such we can expect to see more fines under the GDPR and hopefully a more consistent approach across the EEA when calculating and applying these fines.

            Data breaches

            Another big concern for organisations was complying with the data breach notification requirements under the GDPR. As such over the past year there has been a significant increase in data breach reporting. Over 65,000 data breach notifications have been reported to supervisory authorities across Europe. In September 2018, at a cyber-security conference the UK's Deputy Information Commissioner James Dipple-Johnstone highlighted the problem of controllors 'over-reporting' breaches. He said that the ICO appreciates that understanding the reporting threshold will be an issue for organisations in the GDPR's infancy however in future it will discourage any such over-reporting.


            Data subject rights

            As expected, individuals have become far more aware of their rights under the GDPR than previous data protection legislation. The ICO reported that the top three issues raised by individuals over the past year were: data subject access to personal data, disclosure of data and the right to prevent processing. 



            On 30 May 2019, in an ICO blog the UK Information Commissioner, Elizabeth Denham, stated that 'the focus for the second year of the GDPR must be beyond baseline compliance'. Organisations must focus on accountability and ensuring that they can demonstrate they understand the potential risks to individuals when processing their personal data and how best to mitigate those risks. While there is no doubt that implementing the GDPR has been onerous for organisations, data protection compliance does not need to be viewed as an obstacle to overcome. In a new era where individuals are more aware of their rights under data protection law and more concerned about how their personal information is processed, if an organisation can demonstrate effective data protection compliance this can inspire trust and confidence in its customers and employees and set itself apart from other organisations.



            It's safe to say over the past year organisations and data subjects have taken notice of their respective obligations and rights under the GDPR. As it has been a transitional year it is still too early  to assess the full impact of the GDPR as of yet.  It is still very much a work in progress, but going forward an increased  focus for organisations should be on accountability and privacy by design and default to ensure that data protection compliance is embedded within standard business practices and is not just a box ticking exercise.


            DWF's Data Protection Team can assist you with your ongoing data protection compliance. Please contact us directly or at DataProtection@dwf.law


            Authored by Sarah Moss

            Related people

            Jamie Taylor

            • Senior Management Director

            Nicole van Leenen

            • Data Protection & Privacy Specialist

            We use cookies to give you the best user experience on our website. Please let us know if you accept our use of cookies.

            Manage cookies

            Your Privacy

            When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. We mainly use this information to ensure the site works as you expect it to, and to learn how we can improve the experience in the future. The information does not usually directly identify you, but it can give you a more personalised web experience.
            Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change permissions. However, blocking some types of cookies may prevent certain site functionality from working as expected

            Functional cookies


            These cookies let you use the website and are required for the website to function as expected.

            These cookies are required

            Tracking cookies

            Anonymous cookies that help us understand the performance of our website and how we can improve the website experience for our users. Some of these may be set by third parties we trust, such as Google Analytics.

            They may also be used to personalise your experience on our website by remembering your preferences and settings.

            Marketing cookies

            These cookies are used to improve and personalise your experience with our brands. We may use these cookies to show adverts for our products, or measure the performance of our adverts.