What we know, and don't know, about GDPR

The EU’s GDPR rule comes into effect in a year but while some clarity is emerging, doubt reigns

Organisations caught up in the machinations of the European Union’s General Data Protection Regulation could be forgiven for feeling the media frenzy over GDPR is generating more heat than light. With just a year to go before GDPR takes effect on 25 May 2018 we are still in the dark over many areas even if in others we see some glimpses of light.

Based on recent discussions with experts and others in the know, here’s a summary of what we can confidently say we know and what remains nebulous.


We don’t know that much about penalties. Of course the big headline says that organisations can be fined up to four per cent of global annual revenue based on the previous financial year. But will that really happen? Would a German regulator have the gumption to levy a fine running to hundreds of millions of euros against a Volkswagen? Would France do that to an AXA? And would a foreign regulator be more or less likely to impose big hits on one of those companies? “Regulators are saying they’ve got the guts to do it,” says Jonathan Armstrong of law firm Cordery, “but we won’t know until the fat lady sings.”

There’s likely to be a big test case... as with celebrity tax avoiders it will surely be natural for a regulator to make an example of an egregious offender and perhaps a big brand to set an example to others. A lighthouse lawsuit would bring attention and focus to GDPR, showing that regulatory watchdogs have not necessarily been de-fanged. “France has already stated that it wants to make a public example of organisations who breach the regulation once it comes into force to ensure that it isn’t ignored,” notes Chris Bridgland, chief technology officer of storage software giant Veritas.

… but when will that case close? Fines will be appealable so it could be several years before we see the closure of a big-penalty verdict. Remember that UK broadband provider TalkTalk even contested a £1,000 fine imposed by the Information Commissioner’s Office over a failure to notify the ICO of a personal data breach.

The nuisance value of GDPR will be enormous. Finding evidence, redacting other parties mentioned in communications and storing and tagging data to make it searchable in the first place will chew through time and require expensive tools to be acquired. And how on earth will companies be able to spot manual data breaches, for example leaks of data jotted down with paper and pen? “There has to be a reason for subject access requests to be warranted so many of the nuisance requests will be eliminated early in the process,” says Veritas’s Bridgland. “However, there could be class actions, as we are seeing with a high street name right now, based on a prior breach of personal data.”

To continue reading this article register now