GDPR: 1 year on

By on

University of Edinburgh law student Nicole Pitches examines its impact over the past 12 months

The General Data Protection Regulation (GDPR) took the EU by storm, and everyone scrambled to maintain the highest standard of data privacy known to date. So what has the GDPR actually achieved in the past year? Have any major companies fallen victim to the dreaded fine of 4% annual global revenue?

Fines have indeed been distributed across Europe, with smaller organisations falling subject to the scrutiny just as much as larger ones. In March of this year, the president of the Polish Personal Data Protection Office (UODO) imposed a €200,000 fine (£180,000) to a relatively small organisation. The company knew about the GDPR requirement to inform data subjects of data processing activities, but failed to do so. As the data subjects were unaware of their rights, they were not able to object to the further processing of their data or request the data’s rectification or erasure. The director of the Analysis and Strategy Department at UODO, Piotr Drobek, revealed the controller had denied the information to over 6 million people, with the president claiming it was done intentionally.

By comparison, in May 2019 the Belgian equivalent of the UODO, the Belgian Data Protection Authority (DPA), issued a fine for just €2,000 (£1,800). The case was taken to the DPA’s Litigation Chamber, where it was found the defendant, a mayor, collected email addresses in order to send out electoral campaign-related materials, and thus violated the principles of the GDPR, namely article 5(1)(b) which states that the data collected must be for “specified, explicit and legitimate purposes” and not further processed for new, incompatible purposes.

Following the DPA’s decision in the mayor/email case, the UK’s Information Commissioner’s Office (ICO) announced that it would focus on the use of personal information in political campaigns, use of surveillance and facial recognition technology, artificial intelligence, big data and machine learning.

Elsewhere, Ireland set its sights on the major internet giants due to their taxation arrangements within the country. The head of Ireland’s Data Protection Commission, Helen Dixon, predicts that within the next month we’ll see the first enforcement action reach the European Data Protection Board. The response of companies has been to become “combative” by “lawyering up” — hardly surprising given the amount of EU scrutiny.

So far GDPR may not have forced organisations to cough up eye-watering amounts of money, bar a couple of exceptions, but plenty of data breaches have been reported to have occurred over the past year. In February 2019, DLA Piper revealed that over 59,000 breaches had been reported throughout Europe, with Germany, the Netherlands and the UK securing top spots for the highest number of breach notifications.

Want to write for the Legal Cheek Journal?

Find out more

So, what have we learned from all this? PrivSec, a blog specialising in internet privacy and security, rightly points out that while the GDPR has brought about many challenges for business, it has upped data standards and increased the demand for privacy professionals. The very nature of the GDPR demands companies to engage in efficient and accurate documentation from the very beginning, improving the overall standardisation of data protection. General cybersecurity has also been vastly improved, with networks, servers and infrastructures being readily upgraded in order to limit the possibility of data breaches.

Since its implementation in Europe, the GDPR has prompted a number of other regulators to devise data protection and privacy legislation, such as Brazil’s Personal Data Protection Regulation and the Californian Consumer Privacy Act.

Despite the optimism surrounding the GDPR, there have been complaints that regulators have not been quick enough to issue fines. Of the €56 million (£50 million) dished out in financial penalties since GDPR’s implementation, €50 million (£45 million) was the result of just one single fine: the French DPA against Google in January of this year over its use of user data to create personalised adverts.

While this huge fine may seem to some like a major victory for data protection, it only makes up for 0.04% of Google’s total revenue in 2018. However, the EU has taken note of this, with the Dutch DPA creating a fining matrix to gauge how administrative fines should be calculated. There are reports other EU countries are looking to create something similar.

Now that a year has passed, the ICO has recommended that both large and small organisations move beyond mere “baseline compliance”, and start focusing on “accountability with a real evidenced understanding of the risks” posed to individuals. GDPR compliance will need to be continuously monitored, and while we have not yet seen any truly damaging data breaches, investigations continue, the results of which are eagerly awaited.

Nicole Pitches is a postgraduate law student at the University of Edinburgh. She recently completed her LLB at the University of Warwick.

Want to write for the Legal Cheek Journal?

Find out more

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.



That was an interesting read 🙂


Some confusions in the article:

– it’s hard to say GDPR ‘succeeds’ if there are lots of fines

– it’s wrong to say “Ireland” is pursuing the tech companies. The Irish Government want those companies because they bring jobs and wealth to the country. As the article linked to instead makes clear, it is the EU who is trying to attack those companies – against the express wish of the democratically elected Irish government

– the article seems to miss a fact which is common with a lot of bad EU law, the UK has implemented it, but lots of other Member States are wisely ignoring it

– it’s wrong to keep using the term ‘companies’, one of the many flaws in GDPR is that it regulates voluntary groups, schools and charities. Creating a crippling regulatory burden and in many cases, forcing them to cease functioning

– it might be better to judge GDPR on whether or not it has decreased e-mail spam or prevented the illegal sharing of PI. On that measure it has completely failed.

GDPR is one of the most damning indictments of the EU. A huge and crippling regulatory cost which creates lots of (entirely pointless, but well remunerated) jobs for middle class people, hurts small enterprise, stifles competition, inhibits volunteer groups and completely fails to achieve its stated aim.



Data protection legislation and the ludicrous industry it has spawned is a solution without a problem. The few cases that actually merit enforcement go unenforced anyway because the ICO has nothing like enough resource. Nor could it ever have.

If you factor in the myths and misguided DPA/GDPR policies that have sprung up over the years it’s easy to see that data protection law has done a great deal more harm than good.

And that’s without the many billions of pounds of wasted expenditure forced on industry by this charade.

Stephen Scott

A colleague of mine reported a breach to the ICO in March. Her employer, a high street retailer has made the personal data including address, phone number, national insurance number and bank details of it’s entire workforce on a web browser for all senior staff to access without anyone’s knowledge or consent. That means when these people are outside of work, they can sign in on their phones and access and screenshot staff data. The ICO are not interested. What a frigging joke.


The ICO can’t process the sheer amount of complaints it has received.

That’s what happens when a completely unworkable law is made by wholly unaccountable people.


And for the most of us it has made websites a pain to use. Those stupid cookie/privacy popups we have to click through. GDPR is a joke.

So many sites I have to use a VPN to access now because they are based in the US an wo t allow m yaccess

I am a remainer, but I do think the EU should look at the implementation laws a bit better, and assume we are intelligent beings. Yes clamp down on the data leakage and sue the bastartds. But why are we encumbering the internet with these stupid warnings that iriate the hell out of you. They get ignored, and in the most case let you know about trivial stuff. Rejetng cookies means you alway gets the same pop up


The problem with the remainer argument was that had we voted to stay, it was a matter of time until GDPR 2.

The EU just doesn’t function and there’s no point staying in it and lying to ourselves. Reform would have been great. But it refused.

GDPR is the most visible symbol of the rule making rot at the heart of the EU. To a manufacturer like Dyson, there were more examples. Everything the EU purports to control it controls badly and with higher levels of corruption than the UK normally tolerates.

I still want to be friends. I still want us to visit each other and have really close ties. But the EU has chosen to run itself in a way that I simply do not want for the UK. To me the idea that we all just voted to stay in 2016 and that all the problems would be over, was the real fantasy.


We can only influence the EU from within. Non-compliance with GDPR simply isn’t an option for many/most international companies. I am writing this in Singapore, where international law firms have a great line in GDPR advice for anyone hoping to trade into the EU.

The days of pulling up the drawbridge and revelling in glorious sovereignty are long gone. The EU affects us, all we can decide is whether to retain or relinquish our influence over the EU.


These arguments have been tested and failed because:

1. We couldn’t stop GDPR, and indeed, didn’t.
2. We couldn’t even stop a drunk man being made President
3. While the 5 to 8% of UK businesses who trade with the EU might have to comply with GDPR, but that would still leave 95 to 92% free
4. The schools, hospitals, charities, volunteer groups, book clubs etc who do not trade with anybody, would similarly be freed

What Remain failed to do was to come up with a compelling reason why we should all be run by the EU. They failed. To be fair they didn’t try. The voters response was effectively ‘even if it may be tricky, better out than in’

Or to quote Churchill – “There are a good many people who say, “Never mind. Win or lose, sink or swim, better to die than submit to tyranny-and such a tyranny.” And I do not dissociate myself from them.”

This was all pretty foreseeable – the UK is a net contributor. Net contributors are always more inclined to have the confidence to whether the change of leaving. What Remain needed was a positive argument to stay in and it never had one.

Given ‘in’ meant GDPR and worse. It’s not surprising that no positive argument was found.

Join the conversation

Related Stories