This time last year, thousands of people across the UK and beyond were in meltdown as they counted down the days to the GDPR.
Businesses and any other organisation who held personal data about EU citizens were told they had to take steps to protect it – or they’d be breaking the law.
There was some great advice about what to do to comply if you knew where to look for it, but many people, especially some of those running smaller businesses, were struggling. Some left their GDPR obligations until the last minute – or even later.
The last time such panic had been seen was in late 1999 when the world held its breath for the impending doom of the Millennium Bug.
It was feared that millions of electronic devices would break down simply because they weren’t set up to change the dates in their processors from “99” to “00”. In the event, not much happened.
And it was a bit like that with the GDPR. In the weeks leading up to May 25th, people’s email inboxes were swamped with messages from organisations – some of which they’d last done business with ten or more years ago. The senders had been badly advised – in many cases they didn’t need to send them.
It’s fair to say there was a fair amount of confusion around the GDPR. Fortunately, CertiKit was on the ball and produced a toolkit to help organisations ignore the false advice, understand their legal obligations and avoid the pitfalls.
CertiKit product manager Mark Clifton recalled a year ago: “It was manic. It was one phone call followed by another five minutes later, while answering emails and providing support via Skype. It really went bonkers in May – everything merged into one big GDPR frenzy.
“People were worried and were wanting more information. Smaller companies wanted reassurance that they weren’t going to get fined. They just needed hand-holding with what to do.”
One year on, we wanted to look at the impact of the GDPR, so we spoke to our CEO, Ken Holmes. He said that, as with the Millennium Bug, the forecasts of certain doom never came to pass.
“The fear was that, come May 25th, the supervisory authorities in each EU country would start wholesale prosecutions for minor breaches,” he said.
“People were worried that if they didn’t specify one particular cookie on their website, they’d end up with a large fine.
“But it was never about that. There have been relatively few prosecutions – in the UK the ICO always said it wouldn’t start landing people with fines if they didn’t get things exactly right. Armageddon has not come to pass.”
There is plenty of guidance on our website about organisations’ obligations under the GDPR. Click here for more details.
In the UK, the ICO handled more than 18,000 data protection cases during 2016-17, but only 16 of them resulted in fines being issued. These added up to £1.6m. Fears that the number of fines issued would skyrocket after May 2018 have not materialised.
Mr Holmes said that the panic of a year ago had subsided and that, while CertiKit still received a steady stream of queries over the GDPR, the level was nothing like that in May 2018.
“There’s still a lot of misunderstanding about the GDPR,” he added. “A lot of what’s in the GDPR wasn’t new – in the UK, the Data Protection Act already listed obligations and this was true of the relevant laws in the other EU countries too.
“One big thing that was new was Mandatory Breach Notification. In the past, you weren’t forced to mention breaches. Now you have to notify the supervisory authority if there’s a risk to rights and freedoms of data subjects.
“This has meant the ICO has been inundated with the slightest thing to do with personal data. People took a ‘better to be safe than sorry’ approach.
“I’d say the GDPR has started with a whimper rather than a bang, but it’s here to stay – it was never a one-off thing.”
As for how data laws will be affected if or when the UK leaves the European Union, the British Government has indicated that data protection laws will remain the same regardless of Brexit. If dealing with the data of EU citizens, British firms will still need to abide by the GDPR regardless of whether the UK is in or out.
Don’t be another statistic. Our GDPR Toolkit is still proving popular and has seen several updates. The latest, version five, has a new CCTV policy, a sub-processor agreement and information security awareness training. Click here to read more.
No wonder our toolkit has proved so popular with organisations small and large, including the likes of HMV, NASDAQ and the Ritz, in London.
To mark the first anniversary of the GDPR, we are also offering a 15% discount to anyone buying our toolkit, until 11.59pm BST on May 31st, 2019. You just need to use the following code: 1STGDPR15.
If you want to be on the ball with the GDPR, click here to buy our GDPR Toolkit.