Today, 25 May 2023, marks five years since the introduction of GDPR and the UK Data Protection Act 2018. When we started on this journey back in 2018, we didn’t know exactly how GDPR would work, what attitudes would be towards complying and how it would shape the data protection landscape. One of the aims of GDPR was of course the harmonisation of data protection laws across the EU, and, whilst we can say that it was successful to some extent, that is not the end of story. Each EU country also has its own data protection legislation, and since Brexit, and the end of the transition period, we now have the UK GDPR rather than the EU GDPR. 

One thing is for certain, the GDPR has been an influential factor in the way in which business collect and process data, and in terms of how other countries approach data protection. There is an ever-increasing number of countries outside of the EU who are now introducing their own laws and regulations and many of those have been heavily influenced by GDPR.

Given this important anniversary, we wanted to examine what GDPR has achieved, the challenges business have faced and what the future looks like for UK GDPR. 

Enforcements 

Since the introduction of the GDPR, the Information Commissioner’s Office (ICO) has had the power to impose fines of up to £17 million or 4 % of the global turnover of the business, whichever is higher.

Back in 2018, there was a lot of concern about those high levels of fines being issued to any data controllers who were in breach of the GDPR, and lots of businesses, especially small and medium-sized ones were worried about the potential impact that this could have.  However, we were of the opinion that those levels of fines were likely to be rare, and only awarded in the most serious of cases. 

We have now seen several high-profile fines for non-compliance and breaches of the GDPR, including British Airways in 2019, who were fined over £183 million for a data breach, which affected around 500,000 of their customers. More recently, the ICO issued a fine to Tik Tok for £12.7 million for the misuse of children’s data. 

Whilst these fines are high, we have also seen the ICO becoming increasingly active and is prepared to take action against small organisations, for example in relation to companies making nuisance calls and in relation to failures to respond to subject access requests. In February we saw the ICO fine It’s OK Ltd £200,000 for making over 1.7 million unlawful calls. Compliance therefore continues to be important, and buy in from the top down remains a priority.

The ICO is also working closely with companies to encourage data protection compliance. This is part of the ICO’s 3-year strategic plan, known as ‘ICO25’, which will open the door to innovation while encouraging businesses to responsibly process personal data. 

International Data Transfers

Perhaps one of the trickiest issues that we have all had to grapple with is the way in which personal data can flow across international borders, where it is not within the EU/UK and there is no adequacy decision in place. 

Until June 2021, we had to rely on outdated model clauses to permit data transfers.  However, these were not fit for purpose, and a therefore introduction of the new EU and also UK standard contractual clauses (and the UK addendum), was a welcome relief.  These do not come without their challenges, however, for example in relation to the need to carry out Transfer Risk Assessments.

We are still waiting for news on the EU-US Privacy Shield, although Max Schrems has also spoken out about the fact that the new US Data Privacy Framework may not be enough to satisfy the relevant requirements under the GDPR, so we may see a Schrems III judgement on the horizon.  International data transfers therefore still remain a tricky area for many companies, particularly where this has not been taken into account when introducing a new supplier or system into the business, and they are based outside of the EU or UK.

Impact on technology 

The GDPR was introduced to replace Directive 95/46/EU (the Directive), which was introduced in the early stages of the internet. Technology continued to rapidly advance since the Directive and the ways businesses collected data had also completely changed, therefore the introduction of the GDPR was needed. 

The GDPR not only redefined personal data but it also required businesses to implement the privacy by design and default model into their services from the outset. This has led to privacy-focused features, such as encryption and anonymisation as well as a stricter requirement for consent when collecting user data, such as clear and explicit opt-ins and using clear user-friendly language. This has become increasingly important for cookies and similar technologies. Data Protection Impact Assessments (DPIAs) mean businesses have to demonstrate that they have taken steps to mitigate any risks any new technology may impose, which has helped decrease the privacy risk since the GDPR was first implemented. 

However, since the GDPR was drafted (and before it was even in force), technology has continued to develop. Most recently, we have recently seen a new wave of technology, including the advancement of automated decision-making and AI.  The development of such technologies is unprecedented and for the likes of Chat GPT, the data being processed is used to teach the AI for future outputs, therefore potentially leaving data vulnerable. Chat GPT is only the start of the generative AI programs that we are expecting to see over the next few years and that of course leads to questions about whether GDPR is still fit for purpose.

The uncertainty around this may lead to businesses putting a stop to certain projects, which could potentially be beneficial to business, or, alternatively, it could lead to businesses implementing these projects without consideration of this on the basis that it is new and currently unregulated.  This could potentially compromise the safety of data and businesses therefore need to make sure that this is looked at closely. 

The future of GDPR 

It is clear that there are some shortcomings with the GDPR as currently drafted, and the Government has introduced the Data Protection and Digital Information (No. 2) Bill, which is currently being debated in the House of Commons at the committee stage.  The aim of the Bill is to amend the Data Protection Act 2018 and the UK GDPR to reduce the burden on businesses to ensure data protection does not hinder innovation. The Bill does this by suggesting that records of processing activities are only necessary if processing is likely to result in high risk to the rights and freedoms of indivuals. It changes the controller’s ability to refuse to comply with subject access requests by changing the threshold, removes the need for a Data Protection Officer and would mean the Information Commissioner’s Office would become an independent body, similar to Ofcom. 

We have seen the development of the EU AI Act, which aims to ensure AI, can be used in a safe, transparent, and non-discriminatory way and is the first regulation of its kind.  In the UK, we have seen a whitepaper published on the topic, which is pushing for “A pro-innovation approach to AI regulation” with hopes that the UK will become a science and technology superpower. 

Final thoughts: has the GDPR been a success?

The GDPR has clearly transformed the data protection landscape and has succeeded in raising awareness of privacy, not just in the UK but also across the globe. Whilst we have had some form of data protection legislation in placed based on the Directive for many years, the GDPR really propelled data protection and privacy into the spotlight, and not just because of the fines, but also because of its requirement for data controllers to have a safer and more privacy conscious working environment. 

Given the changes, and the fact that GDPR is five years old, this is the ideal time for businesses to review their data protection obligations and update all documentation, including records of processing activities, to ensure compliance. 

If your business needs help with this, you can contact Emma Loveday-Hill directly at elovedayhill@prettys.co.uk or join our data protection hub for our latest legal updates, articles and invitations to our exclusive events at https://www.prettys.co.uk/join-data-protection-hub