Introduction

As you’re likely aware, the General Data Protection Regulation (GDPR) came into effect on May 25, 2018 to better protect the privacy of European citizens and provide them with more control over their own data. Additionally, the law was designed to create more awareness among organisations about the secure processing of personal data so that they can act responsibly and avoid potential breaches.

For companies located in the UK, the GDPR framework remains unchanged until the end of 2020, when new data protection legislation is poised to follow. Right now UK companies must continue to comply with the GDPR, and should plan to do so indefinitely if they collect data on European contacts such as customers.

Failure to comply can be costly

Organisations in breach of GDPR regulations run the risk of substantial fines. These fines can be up to €20 million or 4% of the worldwide annual turnover, much higher fines than what had previously been outlined in the pre-digital age Data Protection Act in the UK, which carried a maximum penalty of £500,000. UK based companies have been in the news for some of the most prominent breaches since the GDPR came into effect. Two of these highprofile cases incurred eye-popping fines for data breaches in 2019.

British Airways was handed a £183.4m penalty for a massive breach just days after Marriott International incurred their own £99m fine. This is on top of the reputational damage and other incurred costs stemming from these regrettable incidents. Both companies are appealing the decision, but the breaches have been highly consequential either way.

More recently, EasyJet experienced a data breach compromising over 9 million customer records in May, 2020. The GDPR fine for this incident is expected to run high, given the number of data subjects involved. This would be on top of the group litigation currently underway seeking £18 billion (!) in damages over the breach. In response to this incident, a spokesperson at the Information Commissioner’s Office (ICO) said the following: “People have the right to expect that organisations will handle their personal information securely and responsibly. When that doesn’t happen, we will investigate and take robust action where necessary.”

Your path to GDPR compliance

So although your organisation may not be fully compliant right now, it’s important to remedy this as soon as possible. It may seem daunting at first, but it can be easier to achieve than it seems.

Our data protection experts have developed some helpful tools, including a detailed checklist for you in this guide, so that you can be on the path to compliance in no time.

What's next?

• It’s 2020, why is the GDPR still in the news
• Will the GDPR be replaced with the Data Protection Act 2018?
• What will happen in 2021 with data protection regulation in the UK?
• My organisation is still not fully compliant with the GDPR, why should I bother now?

1 How data protection has evolved in the UK

 It’s 2020, why is the GDPR still in the news?
The UK will soon adopt their own version of the GDPR, with the current transition period set to end on December 31, 2020.