GDPR Five Years On
25th May 2023 marks the 5th Anniversary of the once greatly anticipated EU General Data Protection Regulation (GDPR)– a milestone in data protection law and regulation and a mind shift for organisations who process our personal data. The run-in prior to implementation saw a flurry of training, auditing and generally gearing up for the changes…but the job did not stop there. Organisations have an ongoing obligation of accountability, ensuring that privacy by design leads to protection by default and this is in no way diminished following the UK’s exit from the EU. In this blog we consider some of the changes, challenges and future developments, against a back-drop of a landscape fraught with pitfalls for individuals who remain vulnerable to the way in which organisations use and protect our personal data.
From Implementation to beyond…
It’s true to say that there was much publicity and focus ahead of the go-live date in 2018 and many organisations were engaged in activities such as review and audits, process improvements and training to ensure awareness of the new data protection regime. However, GDPR provides for continuous improvement and a constant commitment through the very culture of an organisation to ensure ongoing compliance which is demonstrable. This involves not only carrying out, but also recording a Data Protection Impact Assessment for every new policy or process that an organisation was considering implementing to show data protection is integrated that it has become the default option for any new processes which are implemented in the future, highlighting risks and reducing these at an early stage.
At the heart of the need for protection were concerns about information security; ensuring staff know what their obligations are, what the reporting structures are for any breach and that they are aware of the consequences of failure to comply. This is crucial for any organisation, recognising that compliance is not limited to management or senior roles, since any person within an organisation can breach the regulations, for example an email sent to the wrong person in error or direct marketing materials sent without appropriate consents. Given the increased fines and narrow reporting windows, embedding a culture within an organisation is crucial to ensure that everyone is aware of these implications and that they are appropriately trained in order to demonstrate a commitment to the importance of responsible handling of personal data.
The principles of data protection also underpin the notion of commitment through organisational culture which means that when individuals approach an organisation to enforce one of their rights under GDPR, systems are in place to give effect to these.
This means that the ongoing commitment to data protection compliance is not only in place, but demonstrably so, ensuring a forward thinking and proactive approach to understanding service users and their data needs. As we reach the five-year anniversary, therefore, now seems to be a good time for organisations to review their approach to data protection – what has worked well, where can improvements be made, have any lessons been learned?
The Brexit Challenge
GDPR was an example of an EU harmonisation measure which meant that individuals could be confident that across the EU and further afield where adequacy was granted, organisations were subject to the same rules and protections of equal standing were in place. Post-Brexit, GDPR still applies, in that it is retained as part of domestic law by virtue of UK GDPR (the technical bit is that EU GDPR does not apply and the relevant legislation is the Data Protection Act 2018, as amended which sits alongside UK GDPR). In practice, currently, the key rules and principles are the same and adequacy was initially agreed by the EU until 27 June 2025, although this is subject to review, not least because the UK now has the ability to keep the regulations under review and make unilateral changes to them. Retaining adequacy is, arguably, a vital factor for organisations who trade with or supply to individuals in EU member states and the adequacy decision means that, subject to the rules regarding the transfer of personal data between the UK and EEA, data can continue to flow freely.
Some key things to note relating to cross-border information transfer are:
- If an organisation supplies goods and services to people in EU member states, the EU’s GDPR continues to apply and they will need to comply with both regimes;
- The ICO’s role as the independent supervisory body regarding the UK’s data protection legislation remains although it has no jurisdiction now within the EU;
- UK GDPR applies to controllers and processors based outside the UK if their processing activities relate the provision of goods or services or monitoring behaviour of individuals which takes place in the UK;
- Organisations that do not have a branch or base in the EEA, will need an EU representative to act on their behalf regarding EU GDPR compliance and vice versa for organisations based in the EEA without a UK base;
- Organisations that are supplying data cross-border will need to establish who their lead supervisory authority is;
- Privacy notices, DPIAs and other documentation will need to be updated with references to EU law, UK-EU transfers and any EU representative that is required.
If organisations do not transfer data outside of the UK, the nuances relating to cross-border transfers will not apply; if organisations do make such transfers, then data- flow maps are advisable to ascertain which regime is applicable and whether the data type is covered by the adequacy arrangements; for example data relating to UK immigration is not covered by the adequacy arrangements.
Future developments – a national approach in a global economy
The Government is looking at the data protection landscape again with an evolutionary Data Protection and Digital Information Bill, currently working its way through Parliament. This will once more reconsider issues of data protection compliance to which organisatations must adhere. Several matters are being considered, aimed at decreasing the administrative burdens that GDPR brought with it, headlines including:
- The Bill introduces a new definition of vexatious or excessive requests, so that data subject access and similar requests can be refused or charged for more easily than currently. The Bill sets out factors that should be taken into account when deciding whether a request is vexatious or excessive, along with examples of vexatious requests, which include those that are intended to cause distress; are not made in good faith, or are an abuse of process. This recognises that this is an area particularly difficult area for small organisations to manage;
- Organisations currently have to justify each legitimate interest as a lawful basis for processing personal data, carrying out a balancing exercise against the rights and freedoms of a data subject. The Bill introduces examples of legitimate interests, which, whilst still requiring such balancing, are identified as being an acceptable legitimate interest to pursue along with others that are recognised without the need to carry out any such assessment such as preventing or detecting a crime;
- Data Protection Officers are no longer required, however organisations that would previously have needed to appoint a DPO will now need to appoint a "senior responsible individual";
- Records of processing activities will be replaced with a duty to keep "appropriate records" where there is a high risk to the rights and freedoms of individuals;
- The Bill seeks to reduce the number of cookies which require users' consent but consent will still be required for advertising cookies.
Other proposals, though are aimed at strengthening the regimes, for example, the maximum direct marketing fines have been increased to align with the maximum fines under the UK GDPR. This means that an organisation can now be fined up to £17.5 million or, if higher, 4% of their global turnover for a breach – the need for this change is borne out by the plethora of enforcement action taken by the IFO in relation to violations of the rules regarding direct marketing to which individuals have not consented. Other reforms are being made to the Information Commissioner's Office, which will become the Information Commission. Many of the changes here relate to internal organisation.
The Bill, currently at 1st Reading stage in the House of Commons and which will also receive scrutiny from to the House of Lords, is the first step along the road of potential divergences with the EU in this area and it will be interesting to see how the proposed changes are viewed by the EU in terms of its future adequacy decisions. Whilst it is the intention to reduce the administrative burden on business, many will still rely on EU markets and for them retaining adequacy is of greater importance, particularly as they have had five years to get their data protection houses in order. It’s though a delicate balance to be struck, recognising the burden that the rules place on businesses as has been exemplified by the way in which the exercise of some of the rights have been utilised by individuals, most notably in terms of data subject access request as recognised in the current Bill, against the value of our data to business and the genuine concerns surrounding its protection. All of which paints a complicated picture of regulation and enforcement that businesses will need to navigate to ensure ongoing compliance.