GDPR: What’s happened in the first year?

This time last year, companies all across the world were scrambling to make sure they were compliant under the new General Data Protection Regulation (GDPR). Despite being warned several years earlier, many businesses were either unaware or unprepared to meet all the requirements in time.

GDPR promised to make consumers’ data more secure and better protected, but has it been able to achieve that so far? We take a look at we’ve learnt in its first year.

1. Lots of companies are still not compliant


Worryingly, just 59% of companies think they are GDPR compliant, which means the number of businesses that actually do meet all of its requirements is likely much lower. Why is compliance so low? Well, businesses are struggling with a number of issues, including meeting data security requirements (42%), internal training (39%) and staying on top of how the regulation is being interpreted and developed as it matures (35%).

Smaller companies may not have known much about GDPR at all until 2018, while larger businesses with legitimate interest in the UK might not have prioritised the regulation in the midst of Brexit uncertainty. Whatever your reason for non-compliance, regulators are already cracking down on businesses of all sizes, so make sure yours is one of the 59%!

2. More than 200,000 breaches and €55.96 million in fines

Across Europe, 206,326 GDPR breaches have been reported so far, consisting of 94,622 complaints and 64,684 data breach notifications. Only 52% of those cases have been closed and just 1% are facing a challenge in national courts.

Since it’s only the first year of GDPR, it’s unsurprising that progress has been slow, but a total of €55.96 million in fines have been issued so far, €50 million of which went to Google. The French data regulator, CNIL, administered the fine after it found Google’s processes related to ad personalisation lacked valid consent and transparency.

3. Uber and Facebook escaped major fines in the UK


Unfortunately for consumers, several large companies escaped major GDPR fines in the UK, as the data breaches were investigated under the Data Protection Act (DPA) instead. The Information Commissioner’s Office (ICO) could only issue a maximum fine of £500,000 under the DPA (or 1% of annual turnover in some cases), compared with £17.7 million (€20 million) or 4% of the company’s annual turnover, whichever is higher, under the GDPR.

Uber was fined £385,000 by the ICO under the DPA last year, for a severe data breach. It was so serious, in fact, that it agreed to pay a £112 million ($148 million) fine in the US – a stark contrast to their UK fine!

Facebook, meanwhile, was fined the maximum £500,000 by the ICO for collecting the personal data of users’ Facebook friends without their consent. Again, if the organisation had been investigated under the GDPR instead of the DPA, the fine would have probably been a lot higher.

4. The ICO is inundated with complaints

In the first month following GDPR’s enforcement, the ICO received 1,700 reports of data breaches. This has now calmed down to around 400 per month, but it’s a lot for an organisation with just over 500 employees. Between 2017 and 2018, the ICO handled more than 200,000 calls to their helpline, 16,000 data protection complaints and 5,000 freedom of information complaints. These numbers may now be much higher since the introduction of GDPR – the ICO receives more than 500 calls a week related to data security and privacy.

If you think consumers don’t know or care about GDPR, you’re wrong. Plenty of people are making complaints about companies they believe have broken the rules, so make sure no one complains about your practices!


Still worried you’re not compliant? The ICO website has lots of GDPR resources that can help. Our very own GDPR eBook also answers some of the most frequently asked questions, including how GDPR affects customer reviews. Click the banner below to download it now.

GDPR banner.png

Net Promoter® and NPS® are registered trademarks of Bain & Company, Inc., Satmetrix Systems, Inc., and Fred Reichheld.

Tagged under: Blog