GDPR: One Year On

Request A Callback

Let's take a few details.

Back in May, the anniversary of a huge event passed by with amazingly little fanfare, which is somewhat surprising. This is considering the pre-launch hype and how, with time, its name and its legacy has become monumental around the world.

I wouldn’t blame you if you were struggling to think of one single thing that ever happens in May. No, I am not talking about a celebrity’s birthday or even the launch of the original Star Wars movie in 1977. So, what anniversary am I alluding to?

Well, very simply, the event in question was the launch of the EU regulation called the General Data Protection Regulation (GDPR). Years in the making, it finally became law across Europe on 25th May 2018 and has revolutionised the concept of data protection across the globe. Today, far more people than ever know about data protection and that they have rights in relation to what their data is used for, and that is all thanks to the GDPR.

Our regulator in the UK, the Information Commissioner’s Office (ICO), has seen a considerable increase in public engagement and awareness of data privacy. The ICO’s website has seen a 32% increase in the number of users accessing its website and an increase of 66% contacting its helpline and written advice services.

In the report, ‘GDPR – One Year On’, published on 30th May, the ICO say they have received 14,000 reports of personal data breaches, a 400% rise under the GDPR compared to the old regime. A high proportion of these cases required no further action from the organisation. However, the ICO views over-reporting of data breaches as a positive demonstration that businesses are taking GDPR seriously and are being proactive.

Over the last year Atalian Servest employees, myself included, have invested a vast amount of time and effort to deal with breaches and requests from individuals to see their personal data (Subject Access Requests in GDPR parlance). Few exemptions apply, although data may be redacted or deleted from some documents if, for example, they contain third-party data, but otherwise we must be “purpose blind”. What that means in practice is while there may be a clear motivation behind a request, especially where there is a dispute between the organisation holding the data and an individual, including an employer and employee, we cannot refuse to disclose the personal data.

Why does all this matter so much? Well, it must be remembered that with very few exceptions (limited to things about state security, crime etc.) an organisation that collects, holds and processes personal data about an individual does not own that data. It always belongs to the individual for as long as he or she is alive and kicking (all data protection rights die with an individual). So, organisations must respect an individual’s personal data and only use it fairly and lawfully, including only collecting data that is necessary for stated purposes and keeping it for a limited period.

To illustrate how seriously the EU regards data protection, the GDPR includes fines for failing to adhere to the rules at a level that caught everyone’s attention and dominated the headlines. There are two simple scales, based on the level of infringement; either up to €10m or 2% of annual turnover or up to €20m or 4% of annual turnover. To date, the largest fine issued by a European data protection regulator (France’s CNIL) is €50m fine against Google (subject to appeal). As of July 2019, the ICO have issued a notice of its intention to fine both British Airways and Marriot International after extensive investigations. These GDPR infringements are likely to see a fine of £183.39M for British Airways and more than £99M for Marriot International.

For the GDPR, a piece of legislation that may, like its predecessor the Data Protection Act 1998, last for 20 years, it is early days. Beyond raising awareness of data protection in the UK and Europe, the GDPR’s impact across the world is evident. From the California Consumer Privacy Act, which comes into effect on 1st January 2020 to Brazil’s LGPD that is expected to become applicable in August 2020; there is also draft legislation in progress from India to Argentina.

While I doubt anybody is ever likely to sit in a comfy chair with a bag of popcorn and read a freshly printed copy of the General Data Protection Regulation, it is undoubtedly of paramount importance to every business. With global importance and a vast, and growing base of people who are beginning to understand and recognise the importance of it, it may one day become even more famous than Star Wars itself.

Andreas Loizides (Data Protection Officer)

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpress_test_cookie	session	This cookie is used to check if the cookies are enabled on the users' browser.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_107260158_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	2 years	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Recent Posts

Categories

Services

Sectors

About us

Careers

Group Head Office

Northern Office

London Office

Scottish Office

Midlands Office