GDPR – where are we now?

25 May 2018 saw the GDPR and the Data Protection Act 2018 come into force. Many ‘do you still want to hear from us’ and ‘read our new privacy notice’ emails were sent and received. Seven months on, where are we now?

Huge rise in data subject access requests (SARs)

Data subjects are now well aware of their rights. Article 15 of the GDPR entitles data subjects, in certain circumstances, to access personal data that a data controller processes about them. 

Although the right to make a SAR existed pre-GDPR, there has been a significant rise in the number of SARs organisations are receiving. Under GDPR, organisations must provide their response to a request in a ‘commonly used electronic form’. Furthermore, data controllers can now only charge a “reasonable fee” based on administrative costs when responding to such a request. 

In some circumstances repeated or excessive requests may be refused, or an extension of time (the norm is one month) can be applied. However there is little guidance on the use of these limiting provisions, and no case law – yet.

Organisation is key when a SAR is received. The scope of the SAR could be very wide and the relevant personal data very extensive, especially employee data. Data controllers might seek to refine the scope of the SAR as a first step.  Then all the personal data relevant to the SAR should be collated. It then needs to be decided whether the personal data is disclosable, or whether an exemption applies. If the personal data is disclosable, carefully apply the balancing test in relation to disclosing personal data of a third party. It may be more appropriate to redact their information than to disclose it.  There is also a list of prescribed information which must be given to data subjects, as well as the data they have sought.

Finally – it’s always worth remembering that even though it feels like the same exercise, responding to a SAR is not the same as litigation disclosure.

1998 or 2018 Act?

Since May, reported high-profile data breaches include: 

Marriott Hotels –  personal data of approximately 500 million guests was compromised (November 2018);

British Airways – theft of customer data of customer bookings booking (21 August to 5 September 2018);

Dixons Carphone – compromise of data of up to 10 million customers after a hack was discovered (June 2018); 

Ticketmaster – customers purchasing tickets between February and June 2018 may have been affected. 

In relation to the Ticketmaster data breach, the ICO stated:

“We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”

The ICO also released a similar statement in relation to Dixons Carphone.

The ICO needs to decide whether to issue sanctions under the old or new regimes. The monetary penalties under the 2018 Act are significantly higher than the maximum £500,000 under the 1998 Act. 

Fines issued

The ICO is yet to issue an fine under the Data Protection Act 2018, but watch this space! 

In October 2018 the ICO fined Facebook £500,000 (the maximum under the 1998 Act) for a series of data breaches. The ICO commented:

“We considered these contraventions to be so serious we imposed the maximum penalty under the previous legislation. The fine would inevitably have been significantly higher under the GDPR. One of our main motivations for taking enforcement action is to drive meaningful change in how organisations handle people’s personal data”.

Data protection fees

Under the Data Protection Act 2018, all organisations, companies and sole traders that process personal data must pay an annual fee to the ICO (unless they are exempt). 

More than 900 notices of intent to fine (due to non payment of the data protection fee) have been issued by the ICO since September 2018. More recently, the ICO has targeted care homes for non-payment of the fee.

The fees and respective fines are: 

Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400

Tier 2 – SMEs. Maximum turnover of £36million or no more than 250 members of staff. Fee: £60 Fine: £600

Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000

As illustrated above, the fee is significantly lower than the fine.  So it is worth re-visiting whether you are registered with the ICO and if you have paid your annual fee.


And finally – on 13 December, the Information Commissioner published a helpful and timely blog, available on the ICO’s website, at about the data implications of a no-deal Brexit.

Jaya Bajaj, trainee solicitor

Daff Richardson, partner

December 2018

Penningtons Manches LLP