Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

The GDPR one year on

This time last year, thousands of people across the UK and beyond were in meltdown as they counted down the days to the GDPR.

Businesses and any other organisation who held personal data about EU citizens were told they had to take steps to protect it – or they’d be breaking the law.

There was some great advice about what to do to comply if you knew where to look for it, but many people, especially some of those running smaller businesses, were struggling. Some left their GDPR obligations until the last minute – or even later.

The last time such panic had been seen was in late 1999 when the world held its breath for the impending doom of the Millennium Bug.

It was feared that millions of electronic devices would break down simply because they weren’t set up to change the dates in their processors from “99” to “00”. In the event, not much happened.

And it was a bit like that with the GDPR. In the weeks leading up to May 25th, people’s email inboxes were swamped with messages from organisations – some of which they’d last done business with ten or more years ago. The senders had been badly advised – in many cases they didn’t need to send them.


The GDPR, or General Data Protection Regulation, which came into law on May 25th, 2018

It’s fair to say there was a fair amount of confusion around the GDPR. Fortunately, CertiKit was on the ball and produced a toolkit to help organisations ignore the false advice, understand their legal obligations and avoid the pitfalls.

CertiKit product manager Mark Clifton recalled a year ago: “It was manic. It was one phone call followed by another five minutes later, while answering emails and providing support via Skype. It really went bonkers in May – everything merged into one big GDPR frenzy.

“People were worried and were wanting more information. Smaller companies wanted reassurance that they weren’t going to get fined. They just needed hand-holding with what to do.”

One year on, we wanted to look at the impact of the GDPR, so we spoke to our CEO, Ken Holmes. He said that, as with the Millennium Bug, the forecasts of certain doom never came to pass.

“The fear was that, come May 25th, the supervisory authorities in each EU country would start wholesale prosecutions for minor breaches,” he said.

“People were worried that if they didn’t specify one particular cookie on their website, they’d end up with a large fine.

“But it was never about that. There have been relatively few prosecutions – in the UK the ICO always said it wouldn’t start landing people with fines if they didn’t get things exactly right. Armageddon has not come to pass.”

There is plenty of guidance on our website about organisations’ obligations under the GDPR. Click here for more details.

Here are our top three misconceptions

  1. That everything is based on consent and that, in order to be compliant with the GDPR, you need to get consent for whatever you’re doing with someone’s personal data., That is not necessarily the case, particularly in terms of marketing to your existing customers.
  2. That fines are issued immediately for infringement – it’s just not the case. If a breach has taken place, you would work with the supervisory authority to understand what you’re doing wrong and to correct it. You only really get fined for a major data breach, and if you’ve failed to do anything about it despite being ordered to do so several times.
  3. That all breaches involving personal data must be reported to the supervisory authority. In some cases, this is true and, if there’s a high risk to the rights and freedoms of a data subject, you must inform that person as well. One example of there not being a risk would be if a hard disk was stolen, but the data on it was encrypted and the keys were still secure. In such a case, you wouldn’t need to report it.

In the UK, the ICO handled more than 18,000 data protection cases during 2016-17, but only 16 of them resulted in fines being issued. These added up to £1.6m. Fears that the number of fines issued would skyrocket after May 2018 have not materialised.

Mr Holmes said that the panic of a year ago had subsided and that, while CertiKit still received a steady stream of queries over the GDPR, the level was nothing like that in May 2018.

“There’s still a lot of misunderstanding about the GDPR,” he added. “A lot of what’s in the GDPR wasn’t new – in the UK, the Data Protection Act already listed obligations and this was true of the relevant laws in the other EU countries too.

“One big thing that was new was Mandatory Breach Notification. In the past, you weren’t forced to mention breaches. Now you have to notify the supervisory authority if there’s a risk to rights and freedoms of data subjects.

“This has meant the ICO has been inundated with the slightest thing to do with personal data. People took a ‘better to be safe than sorry’ approach.

“I’d say the GDPR has started with a whimper rather than a bang, but it’s here to stay – it was never a one-off thing.”

As for how data laws will be affected if or when the UK leaves the European Union, the British Government has indicated that data protection laws will remain the same regardless of Brexit. If dealing with the data of EU citizens, British firms will still need to abide by the GDPR regardless of whether the UK is in or out.

Don’t be another statistic. Our GDPR Toolkit is still proving popular and has seen several updates. The latest, version five, has a new CCTV policy, a sub-processor agreement and information security awareness training. Click here to read more.

No wonder our toolkit has proved so popular with organisations small and large, including the likes of HMV, NASDAQ and the Ritz, in London.

To mark the first anniversary of the GDPR, we are also offering a 15% discount to anyone buying our toolkit, until 11.59pm BST on May 31st, 2019. You just need to use the following code: 1STGDPR15.

If you want to be on the ball with the GDPR, click here to buy our GDPR Toolkit.

We’ve helped more than 4000 businesses with their compliance


The kit did 90% of the work for me.


View all Testimonials