Data protection has not gone away

12 June 2019

This time last year every organisation in the country seemed to be rushing to meet the requirements of the General Data Protection Regulation (GDPR), with email in-boxes across the country filled with requests to confirm the right to keep and use personal information.

Then the deadline for compliance passed, everyone breathed a sigh of relief and GDPR seemingly dropped off the radar.

Looking back over the year, Deloitte has highlighted that there has not so far been a significant fine as a result of a breach, despite the fact that a survey it conducted six months after GDPR became effective found that just a third of organisations were responding to customer data requests on time.

PricewaterhouseCoopers (PwC) has also examined the data protection landscape and suggested that: “The absence of any GDPR fines in 2018 was not surprising, as it takes many months for cases to work through the system, but we know that they are on their way”.

Even at this early stage, the sum of monetary penalties issued to UK organisations for breaching data protection laws in 2018 totalled more than £6.5 million, it highlighted, over £2 million more than the previous year.

PwC analysed the UK Information Commissioner’s Officer (ICO) data protection enforcement actions, looking at monetary penalties, enforcement notices, prosecutions and undertakings. The data showed that, while the total sum of fines has increased, the number of enforcements issued fell to 67 in 2018, from 91 in 2017.

Marketing accounted for 50% of infringements with telephone calls responsible for 64% of this type of infringement. Private sector companies were involved in 86% of the enforcements with a quarter of enforcement actions relating to personal data security breaches.

PWC’s 2018 Privacy & Security Enforcement Tracker can be found at

Comment by BrightHR Chief Technological Officer Alastair Brown

This time last year, data protection seemed to be the hot button topic of the HR world but since then attention appears to have been turned to other things.

That said, the introduction of GDPR was a starting date, not a deadline, and employer obligations under data protection law remain very current. Although there does not yet appear to have been a significant fine since the introduction of GDPR, I would caution employers not to ignore data protection compliance.

Granted, it can be very complicated, but putting some time and effort into getting procedures right will pay dividends in the future.