What lessons have we learnt from 2 years of GDPR?

Written by Joe A. J. Beaumont on 26/06/2020

GDPR is still a problem for many businesses

GDPR recently breezed past its second birthday and, like many two-year-olds, continues to cause concern and confusion for those who have to deal with it. Unlike real two-year-olds, however, GDPR is quite clear in what it demands and there could be big consequences if they are not met.

For businesses, failure to meet GDPR’s requirements represents an increased risk of data breaches and the reputational damage and legal repercussions that breaches inevitably lead to. These risks are not inconsiderable: the reputational damage alone is often enough to wipe out a business.

So, with so much resource and support available for GDPR, why are so many organisations still struggling with it?

Using our two years of lessons learnt, this blog will examine what companies are still getting wrong and show what can easily be done to solve the challenges.

Companies are much more likely to get challenged (and reported) on their dodgy data use by data subjects

Lesson One: Deadline apathy

We saw that a great number of UK organisations didn't do anything in the period from 2016 when GDPR was adopted, to 2018 (the implementation deadline). As the deadline loomed on 25th May 2018, I’m sure we all remember emails flooding our inbox from companies desperately wanting to still be able to market to us. There were articles and comments galore on the subject of GDPR, theories of instant enormous fines, and then... nothing happened. The clock ticked-over to May 26th, and too many companies thought "oh it's over now, I'll just carry on".

The lack of media coverage combined with the lack of high-profile ICO action over the last two years has only encouraged this attitude, and we see a lot of companies say "it doesn't matter, the ICO won't fine us”. As a result, GDPR gets pushed further down the corporate agenda and the risks (as outlined in the first paragraph) continue to grow.

The solution to this is education, education, education. The ICO themselves ran a lot of awareness campaigns in the run-up to GDPR, but it was aimed at data subjects and their rights, rather than aimed at businesses and their obligations. The result of this is that the public are much more aware of their rights and are more sensitive to privacy implications, meaning companies are much more likely to get challenged (and reported) on their dodgy data use by data subjects. But educated data subjects has come at the cost of clarity for businesses.

To fill this knowledge gap, the open market has had to step in to drive up the standard of corporate awareness. This is something we at Bulletproof work hard to promote. For example, here’s a recent webinar we hosted where we shared insights into why companies failed to meet the requirements of GDPR, as well as how they could rectify it.


Lesson Two: The ICO and regulatory pressure

The past two years have seen many high-profile data breaches. If I say BA, Marriott and (more recently) easyJet, you’ll know what I mean. But despite the high-profile fines associated with these events (BA was fined £183m), the ICO isn’t very active. The headline grabbing £18 billion loss that easyJet are facing is from a class-action lawsuit, not a regulatory fine.

In fact, compared to other Supervisory Authorities, ICO barely registers. In a list of most recent fines, the ICO isn’t even in the top 50, with the likes of Italy, Greece, Spain, Bulgaria, Hungary, Iceland, Denmark (and many more) all issuing multiple fines in the same period. But it’s important to note that this inactivity isn’t a result of policy – it’s a result of under-resourcing.

The Information Commissioner herself, Elizabeth Denham, was warning of a critically under-resourced ICO as early as 2017. The ICO simply doesn’t have the capacity to investigate and take action on all the cases they want to (in case you’re wondering, the fines levied by the ICO go directly to the Treasury). This further proliferates the idea, especially in the smaller end of SMEs, that “the ICO won’t fine me”. Which is a bit like poking a sleeping dragon with a stick. It’s fine, until it wakes up. As the rights of data subjects become increasingly on the political agenda and data subjects themselves feel empowered to report your business, the ICO dragon will awaken. And then it’s coming for your business.

Indeed, this perceived inactivity is no reason to ignore GDPR. To illustrate this point, look at the case of the ICO’s first ever GDPR fine. A pharmacy in North London was fined £275,0000 for carelessly storing documents containing patient data. So it’s clear to see that ICO action is real, and so are the fines.

Whilst we’re on the subject, ignoring the financial risk is also ignoring the non-financial risks to your business. The reputational damage caused by a data breach could destroy your business quicker than a large fine. The solution for both these issues is the same: act now. The best time to start your GDPR project is 2 years ago. The second-best time is right now. Don’t forget that GDPR isn’t some exotic foreign legislation – it’s enshrined in UK law as the Data Protection Act 2018. Directors don’t ignore a company’s other legal obligations like tax, or employee entitlement to work checks (and so on), so why ignore GDPR? Our advice is to take all your legal obligations seriously and become GDPR compliant before it’s too late.

GDPR White paper

Get your free guide to GDPR

A practical guide for understanding and complying with the General Data Protection Regulation (GDPR)

The best time to start your GDPR project is 2 years ago. The second-best time is right now

Lesson Three: Management buy-in & resource

Moving away from regulatory matters, let’s dive into organisations. Much like ISO 27001, GDPR needs senior management buy-in to succeed. Bulletproof has repeatedly seen that without senior management buy-in, a company’s GDPR efforts fail. Without an example being set, no-one else in the company will bother. GDPR needs to be seen as a core corporate priority that spans all layers of the business.

That’s not the biggest problem with not having management buy-in, however. The biggest hurdle is resourcing. Without top-down support, even a well-managed GDPR project will struggle with budget and resource for external help, internal training, and giving staff time to do the work required. Building internal teams to take on GDPR responsibility only adds to the resource cost, which is why many organisations gain senior management buy-in with cost-effective outsourcing models that deliver expert GDPR knowledge for much less cost, and much less hassle.

What causes a breach?

Lesson Four: Corporate compliance culture

Finally, we have companies who realise the risks, have got management buy-in, have committed to doing GDPR, and go right through the process from top to bottom. Sounds great, but problems can still arise.

True GDPR compliance is not a one-and-done exercise. It can require a lot of work for some organisations, and when you get over the initial hurdle, it’s tempting to stick it on a shelf and call it complete. But without constant review, your compliance will very quickly be broken – and you won’t even know it. GDPR is transformative and needs to be built into day-to-day business as usual. GDPR is only successful when it gets embedded in the culture of a business.

This means that someone, somewhere needs to take ownership of data privacy and GDPR within your organisation. They need to work across all departments to bring it all together. Even with management buy-in, this can be a daunting prospect. Data protection expertise isn’t cheap, and there might not be the volume of work for a full-time staff member. It’s for these reasons that outsourcing of this role is rapidly gaining popularity, as it delivers top-tier GDPR and data protection expertise on a cost-effective retainer. Bulletproof’s expert Data Protection Officers undertake this responsibility for many companies, saving them time and money, and keeping them compliant with GDPR.

Do I need a DPO?

In summary

To recap, here are our four lessons we’ve learnt from the last 2 years of GDPR.

  • Lesson One: Deadline apathy

    Don’t think that because the implementation deadline has passed that you’re out of the woods. As time goes by, GDPR non-compliance puts your business more at risk than ever.

  • Lesson Two: The ICO and regulatory pressure

    The ICO has, and does, fine companies for non-compliance. Don’t ignore the very real risks that fines and reputational damage present to your business.

  • Lesson Three: Management buy-in & resource

    Without senior management buy-in, your GDPR project will fail. Given that cost is an ever-pressing concern, presenting the board with a cost-effective outsourced model can help.

  • Lesson Four: Corporate compliance culture

    GDPR compliance is a living process that needs to be seamlessly embedded into your business as usual operations. Similar to implementation, maintenance can also be achieved easier and cheaper with an outsourced option.




  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.