one year of gdpr

GDPR One Year On: What have we learned and what’s next?

Dr Sara Degli-Esposti and Professor Maureen Meadows.

First published on the Midlands Insider Blog.

A year ago, on 23rd May 2018, the Data Protection Act (DPA) 2018 received its Royal Assent, and just two days’ later, the General Data Protection Regulation (GDPR) came into force. GDPR captured media attention because of the monetary sanctions it can bring – up to a maximum of €20 million or 4% of worldwide turnover, whichever is greater for the firm in question. But one year on, how much impact have the new regulations really had?

An example of the force of the new regulations came in January 2019, when the French National Data Protection Commission (CNIL) imposed a financial penalty of €50 million against the company GOOGLE LLC for lack of transparency in the personalisation of advertisements. CNIL’s investigation was triggered by group complaints made in May 2018 by two associations, None Of Your Business (NOYB) and La Quadrature du Net (LQDN), representing 10,000 data subjects. GDPR sets a high bar for user consent regarding the processing of their personal data; it insists that consent must be freely given, specific, informed and unambiguous. According to CNIL, in the case of GOOGLE LLC, users’ consent was not sufficiently informed; it was neither ‘specific’ nor ‘unambiguous’.gdpr.

In the UK, we will have to wait a little while longer before we can fully appreciate the effects of GDPR and DPA 2018. An analysis of monetary penalties issued by the Information Commissioner’s Office (ICO) over the past year reveals that complaints referred to events taking place under the Data Protection Act 1998, and the Privacy and Electronic Communications Regulations (PECR) which implemented the e-privacy Directive. However, some significant fines have been imposed under these previous acts and regulations.


On 23rd May 2018, from 8pm until 3am the next day, the ICO searched SCL Elections Limited’s London headquarters, as part of a larger investigation into the use of personal data and analytics by political parties and social media companies in relation to the Cambridge Analytica scandal. On 24th October 2018, the ICO issued Facebook with a fine of £500,000—the maximum amount possible under the DPA 1998 in force at the time of the event—for failing to safeguard people’s information and allowing Cambridge Analytica to collect information on 87 million Facebook users without informing them that their data would be used for political micro-targeting.

Since June 2018, the ICO has issued 29 monetary penalties for violations of PECR and DPA 1998. The majority of cases (62%) refer to unsolicited direct marketing emails and nuisance calls. Most complaints concerning unsolicited emails or calls come from the GSMA Spam Reporting Service, which enables UK mobile phone users to report nuisance text messages through a free-of-charge short code (‘7726’ or ‘SPAM’). For example, on 19th March 2019, the ICO fined Vote Leave Limited £40,000 for sending out thousands of unsolicited text messages in the run-up to the 2016 EU referendum. On 13th December 2018, London-based firm Tax Returned Limited was fined £200,000 by the ICO for sending out millions of unsolicited marketing text messages. And in October 2018, the ICO issued a fine of £90,000 to London-based marketing company Boost Finance Ltd (BFL) for sending millions of nuisance emails about pre-paid funeral plans.

The majority of cases sanctioned under DPA 1998 involved a data security breach. On 26th November 2018, the ICO issued Equifax Ltd with a fine of £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017. In a similar case, Uber was fined £385,000 for exposing UK users’ and drivers’ data as a result of an attack suffered by Uber US. The customers and drivers affected were not told about the incident for more than a year. Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded. And such breaches are not confined to the private sector. The Independent Inquiry into Child Sexual Abuse (IICSA) and the Gloucestershire Police were fined £200,000 and £80,000 respectively for revealing the identity of victims through bulk emails in which employees forgot to use the BCC option and respondents replied to everyone in the list; these incidents may be viewed as examples of poor data protection training. Other types of violations include unlawful data sharing, as in the case of the pregnancy and parenting support club Bounty Ltd, fined £400,000 in April 2019. These cases offer some insights into the most common mistakes made by organisations in dealing with people’s data. Organisations across the finance, manufacturing and other business sectors have also been fined by the ICO for not paying the data protection fee.

ico-enforcementThese examples show that there is a very real and on-going need to monitor and control how organisations use personal data. However, the new acts and regulations – DPA 2018 and GDPR – have yet to bring a real impact in the UK in terms of fines and behaviour change.