GDPR 12 Months On – Lessons Learned

The GDPR and the Data Protection Act 2018 have now been in force for 12 months. GDPR day (25th May 2018) was heralded by messages of impending doom and the threat of eyewatering fines for organisations if they did not comply. 12 months on what has the practical impact of GDPR been on organisations? We thought that we would mark the anniversary of GDPR with a look back at the past 12 months and the lessons learned.


Lesson learned: Policies and procedures must be up to standard and fit for purpose

The key documents you need to get right are your organisaton’s:

  • Public facing privacy notice
  • Internal staff privacy notice
  • Data inventory or Information Asset Register (i.e. your record of data processing)
  • Data Breach Reporting Procedure and internal data breach record
  • SAR & Individuals’ rights procedure

If these documents, particularly your organisation’s privacy notice, are not to the required standard it can severely impact upon the organisation’s ability to process personal data lawfully and can result in significant vulnerability.


Lesson learned: Your organisation’s data protection compliance must keep pace with changes in processing activities

Your organisation needs to ensure that data protection compliance at a minimum keeps pace with these developments, and in the best-case scenario predicts or pre-empts changes. Undertaking Data Protection Impact Assessments (where required), updating the record of processing activities and updating any privacy information are all key compliance requirements when it comes to new processing activities.


Lesson learned: Ensure staff training is refreshed periodically, so that staff awareness of their obligations and those of their employer under data protection legislation is maintained. It is also important to ensure that new joiners receive training as part of their induction process.

The ICO made it clear early on that their expectation was that all staff would require training on data protection and this message hasn’t changed, for example, the ICO specifically asks on the personal data breach notification form whether the staff member(s) involved in the breach have received data protection training in the past 2 years. If the answer to that question is ‘no’ then there are likely to be further enquiries.


Lesson learned: Embrace GDPR as a way to improve your organisation’s data protection practices and enhance its reputation.

The obligations under the GDPR place a lot more responsibilities on data controllers. The GDPR is, however, ultimately there to help organisations ensure personal data is used in the right way. There is no doubt that compliance with the GDPR takes time and effort, however, once organisations have their policies and procedures in place these should mitigate against the misuse of personal data and help preserve an organisation’s reputation e.g. in the event of a personal data breach.

As always, the Information Law Team at Geldards are here to help with any queries or issues you may have when it comes to data protection. We also have a GDPR tool-kit to help organisations with their obligations, which includes:

  • Template privacy notices
  • A suite of data protection policies, including breach notification & individuals’ rights
  • Staff training packages; and
  • Online training modules (foundation and refresher courses) which staff can do at their desks

For further information contact one of the Information Law Team.

Like to talk about this Insight?

Get Insights in your inbox

To Top