Skip to content
All posts

GDPR - One year on


It's been a year since 25th May 2018 when we saw GDPR (the General Data Protection Regulation) come into force in the EU. In this post we take a look back and reflect on the impact of this law over the previous twelve months.

If you didn’t catch our blog post last April where we covered our take on the new regulation, you can find it here: TwentyCi’s take on GDPR.


What we know now

  • The world did not end on 25th May 2018!

  • There was a significant flurry of emails from brands asking data subjects to re-consent. Most of these emails may not have been necessary, but many businesses sent these communications regardless; likely concerned that they may miss the opportunity to secure consent of their contact data. This led to many companies needing to delete larger volumes of their databases than perhaps needed.

  • Consumers have more awareness of their data protection rights through the increased media attention seen over the last year, some of which has focused data subjects on “consent”, possibly leading to increased confusion.

  • According to the DMA’s 2019 consumer email tracker research report, 41% of consumers said that the new rules have made them more confident about how brands treat their personal data and that they find themselves wondering where brands sourced their email address much less often. This is great news for our industry. At TwentyCi we have seen a reduction in requests for information from consumers; insight which supports this research.

  • More data breaches have been reported in the media in the last year. However, in September 2018, the deputy ICO said that organisations were over reporting, no doubt a by-product of businesses not wanting to get their GDPR approach wrong. The ICO has added more content to it’s website about this topic and has a self-assessment section to help businesses to understand what does need to be reported.

  • The ICO has published a wide range of guidance in the last year covering everything from international transfers, contracts, liabilities and encryption, to guidance on when PECR (the Privacy and Electronic Communications Regulations) and when GDPR applies; information which is all available in the GDPR section on the ICO’s website.

  • Overall, we have seen that clients are now more confident with how the regulation applies to their company and the general mindset is very much business as usual.

The important thing to remember is that the 25th May 2018 was not a deadline, it was the start of an ongoing journey of compliance. 


What’s next?

The new ePrivacy Regulation is on the horizon. This is set to modernise the existing ePrivacy Directive of 2002 (amended 2009) and to replace the 2003 Privacy and Electronic Communications Regulations (PECR). The original aim was for this to come into force at the same time as the GDPR, but it was not ready and is currently still being debated with the exact timings not yet known. We do know however, that it will affect electronic marketing communications, tracking technologies, security and more. Some great industry resources to keep an eye on for progress and updates are The DMA, and The Data Protection Network.


If you have any specific questions on GDPR, please contact our GDPR team –

Disclaimer: The information provided here reflects our views of the GDPR. It does not constitute legal advice and our views may change as the Information Commissioners Office publishes more guidance. You should consider taking your own legal advice as you see appropriate.