The General Data Protection Regulation (GDPR) became directly applicable on 25 May 2018, accompanied by much media clamour and business disquiet. Some commentators warned of enormous administrative fines, whilst others forecast “SARmageddon” (a huge influx of access requests (SARs) from data subjects) and a flood of compensation claims for the most minor of breaches. We took the view, based on our years of experience and our expertise (as well as reading and listening to what the Information Commissioner’s Office was saying) that a pragmatic, measured approach was best, and we advised clients accordingly.
Eight months on, it does seem that that measured approach was the optimum one. No GDPR monetary penalties have yet been levied by the Information Commissioner’s Office (although Google was recently served one of €50m by the French data protection authority, for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertising), and the courts are as yet relatively untroubled by compensation claims.
There are reports that the ICO is having to weather a storm of complaints and enquiries. It surely won’t be long before we see the first significant monetary penalty in the UK and across Europe, the spectre (or prospect, depending upon your perspective) of major group GDPR litigation hangs.
What is very clear is that on International Data Protection Day 2019, the subject of data protection has never been more pressing or more prominent. Anyone who processes personal data should make sure they know what they’re doing and where their risks lie.