Blog: GDPR – one year on

30 May 2019

A blog by Elizabeth Denham, Information Commissioner

Last May marked a seismic shift in privacy and information rights with the implementation of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Today, we’re publishing an update to share our reflections and learnings from the past twelve months. The change in the regulatory landscape has shown the importance of getting privacy right. People have woken up to the new rights the GDPR delivers, with increased protection for the public and increased obligations for organisations.

But there is much more still to do to build the public’s trust and confidence. With the initial hard work of preparing for and implementing the GDPR behind us, there are ongoing challenges of operationalising and normalising the new regime. This is true for businesses and organisations of all sizes.

A key area of work for my office during 2019/20 will be to support all parts of the UK business community, from the smallest SMEs to the biggest boardrooms, to deliver what is needed. Where the law requires it, I want to see Data Protection Officers (DPOs) embedded and supported in their respective organisations by senior management.

The focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability. 

Strong accountability frameworks are the backbone of formalising the move of our profession away from box ticking. They reflect that people increasingly demand to be shown how their data is being used, and how it is being looked after. They are an opportunity for data protection to be an enabler of growth and innovation whilst building people’s trust and confidence in the way their information is handled.

Just as organisations have had to change to meet the demands of the new regulations, so has my office. We have grown in size and capability as well as ambition, working tirelessly to provide guidance and expertise to individuals, to businesses, and to the public sector. We make sure our work is focussed on the areas of greatest risk as set out in our Regulatory Action Policy. This policy also describes our refreshed toolbox of enforcement powers in these areas – ranging from heavy fines to lighter sanctions depending on the relative harm to individuals.

We are committed to supporting DPOs and organisations to get things right. We celebrate and champion excellence in the data protection field. We recognise our role in helping small organisations to understand their responsibilities, but our role is not to be a ‘DPO for hire’ – responsibility for compliance lies with organisations. For those who do not take this responsibility seriously or those who break the law, we will act swiftly and effectively. We are using the intelligence we have gained – from more than 40,000 data protection complaints since May 25 2018 and over 14,000 personal data breaches reported to us, as well as intelligence from other regulators and investigations we have instigated- to take robust action.

Many of the investigations launched with our new powers are now nearing completion and we expect outcomes soon, demonstrating the actions my office is willing and able to take to protect the public.

The past 12 months have been pivotal for data protection, but they are only part of the story. Preparing for, launching and bedding in the GDPR has posed many challenges – for the ICO as well as those we regulate. This update provides an overview of our experience in the first year of the GDPR, and shares information and insights that will be further explored in our Annual Report later this year.