Two years on from GDPR, what has this meant for businesses? Comment

When implemented on 25 May 2018, the personal data of staff and customers became an executive-level responsibility overnight. We have seen some early examples of significant regulatory action under GDPR; notably the €50m fine issued by the French data regulator CNIL to Google in early 2019, followed by the UK’s regulator, the Information Commissioner’s Office (ICO), issuing notices of intent to fine both British Airways (£183m) and Marriot International (£99m).

Those are still under discussion and not final, and regulatory action is slow, especially for fines at this level. Most privacy breaches don’t result in a regulatory penalty. We are seeing more people make privacy breach claims through the courts, individually or as class actions, and we expect this to continue. However, most changes for businesses have happened behind the scenes.

GDPR made it compulsory to report some – not all – data breaches to the ICO. Everyone suffers data breaches from time, but handling these sensibly, keeping suppliers in check and having trained staff in place to assist is key.

Data subject requests (DSARs) have also leapt due to the increased awareness of our rights, and these can be resource-intensive to handle. Our DSAR handling capability for clients has trebled in the past year as a result.

It’s not all doom, gloom and cost, though. We’ve seen improvements in how organisations handle customer data. In short – privacy sells: in the corporate finance world post GDPR, data-compliant businesses get significantly better valuations and returns.

Another plus is progress in privacy and technology. A lot of the work we do is around implementing tech solutions in a privacy-compliant way, based on the “privacy by design” concept introduced by GDPR. Of course, new tech will always challenge privacy, and this is very clear in the debate around the use of tracking technologies to tackle Covid-19.

It will take most new regulatory changes five years to really take root, so we expect more high-profile penalties and cases. For now, changes to the privacy landscape brought about by GDPR, and driven on by consumer awareness are here to stay.

Helena Brown, partner and head of data at Addleshaw Goddard

A message from the Editor:

Thank you for reading this story on our website. While I have your attention, I also have an important request to make of you.With the coronavirus lockdown having a major impact on many of our advertisers - and consequently the revenue we receive - we are more reliant than ever on you taking out a digital subscription.Subscribe to scotsman.com and enjoy unlimited access to Scottish news and information online and on our app. With a digital subscription, you can read more than five articles, see fewer ads, enjoy faster load times, and get access to exclusive newsletters and content. Visit www.scotsman.com/subscriptions now to sign up.

Our journalism costs money and we rely on advertising, print and digital revenues to help to support them. By supporting us, we are able to support you in providing trusted, fact-checked content for this website.

Joy Yates

Editorial Director