GDPR: What now?

25 May, 2018



GDPR implementation day is here. The sky has not fallen in, but the true impact of GDPR is yet to be felt. For many of us who have been involved in GDPR compliance projects over the past months, the question remains, what now? We’ve set out some key areas of uncertainty, and a few predictions, below.


The new maximum fine limits of £17m (or 4 per cent of group turnover) for non-compliance might look terrifying, but how likely is it that current fines will be scaled up to these levels? The highest pre-GDPR fine that the Information Commissioner’s Office (ICO) has imposed is £400,000 (80% of a maximum limit of £500,000) and the ICO confirmed that enforcement “will be proportionate and, as it is now, a last resort” and it’s clear that only the worst infringers should be concerned about the new maximum fines. In any event, it is likely that any fines issued under GDPR will not be handed down until 2020 (given previous time-scales for enforcement), so it will take some time assess the impact of the new limits.

Individual rights and awareness

 Individuals have more rights under the GDPR in relation to their personal data, and recent media coverage alongside GDPR’s implementation date has certainly made people more conscious of data protection issues. Increasing press coverage concerning rights under GDPR, reports of high-profile breaches, and endless privacy notices that flood individuals’ inboxes are all increasing awareness. ICO investigations (even without fines) will often be reported in the press. Businesses that can’t show they practice good data security, or don’t have the necessary understanding of their responsibilities, will struggle to build trust and maintain their reputations. That reputational damage may be the most significant impact for any business that doesn’t treat GDPR seriously.

As a result of greater transparency, organisations will receive more requests from individuals (“subject access requests”) about how, why and where their data is held. This will inevitably result in more complaints being made to the ICO. We also expect to see increasing numbers of group litigation cases in relation to large-scale data breaches, since a data breach is likely to involve more than one individual’s personal data.

Service providers: comply to thrive

 Service providers who process personal data as part of their service must establish if they process data on behalf of their customers (as a “processor”) or not. Many processors have already updated their terms and conditions to include the provisions required by GDPR, some will do so soon as their compliance projects continue, others may not. But despite all these contractual changes, it’s not clear if customer-provider relationships will actually change, or how any liability issues will be dealt with in practice.

Changes in the office

 We don’t just mean more GDPR-related chat (thrilling as it is). Just as new health and safety regulations changed the way offices operated, the GDPR will affect business processes as organisations become more aware of data security and the risks of a breach. Individuals will begin to have a better idea of personal data flows within a business and are likely to face various measures, including clean desk policies, role based access, and restrictions on remote working.

Consent, consent, consent

 Despite being the buzzword for GDPR, the consent rules have misled many. The standard of what is acceptable as consent is changing. Consent forms will become more prevalent, and websites will evolve to provide more choice about how your data is used (although further changes around the law on cookies are still being debated at an EU level).


 The number of marketing emails to your work or personal accounts is likely to reduce, despite not all email marketing requiring “opt in” consent. Given the rules on electronic marketing are stricter, you may also receive more postal marketing.

It’s here to stay

 GDPR isn’t the whole story. The Data Protection Act 2018 (the UK legislation that supplements GDPR and will apply post-Brexit) was given royal assent on 23rd May. More guidance from the ICO and European authorities is still to come, and different sectors should settle into a broad consensus on the boundaries of compliance.

Even if GDPR requirements are crystal clear, once you have your organisation in order, your obligations under GDPR will not disappear. Businesses must continue to monitor compliance, and as your business develops, your obligations under GDPR will develop too.

For more information on data protection, please contact Elliot Fry at or on +44 (0)1732 224 034

For updates from us and the latest Tech news follow us on Twitter @CrippsTechLaw