GDPR – One Year On

May 14, 2019


May 2019 marks a year since the General Data Protection Regulation (GDPR) was brought into force across the EU.

GDPR, along with the Data Protection Act 2018 (DPA 2018) in the UK, was implemented on 25 May 2018 and applies to all organisations which process individuals’ personal data. The regulations cover businesses of all sizes, ranging from sole traders to global corporations, although the rules differ in some respects depending on the size and activities of the organisation.

Across the EU, data protection regulators have so far issued fines totalling more than €56 million as a result of breaches of GDPR.

In the UK, the Information Commissioners’ Office (ICO) is still busy publishing the results of cases which stemmed from the pre-GDPR Data Protection Act 1998, and has not yet published details of any significant fines it has issued under GDPR – although we can expect these to start filtering through in the next few months.

Despite this, the publicity surrounding GDPR means that many businesses will have seen the practical effects of it in their dealings with their customers and staff.

In relation to staff specifically, an increase in data protection awareness means that we have seen an increase in the number of “Subject Access Requests” (SARs) being brought by employees who want to know what their employers have been doing and saying about them and how they have been using their personal information. The strict rules on SARs under GDPR mean that employers are now nearly always obliged to gather and hand over this information within a month of a request being made.

As a reminder of businesses’ data protection duties, every organisation should:

  • Be registered as a data controller with the ICO

  • Have a privacy notice for employees, workers and contractors (and also for job applicants), setting out how their data may be held and processed

  • Have privacy notices for customers, clients, suppliers and anyone else whose personal data they may handle

  • Have a data protection policy setting out how employees must handle the personal data of others, and the consequences of breaching that policy

  • Have data sharing agreements in place with any third party service providers to whom they may pass personal data

  • Conduct regular data audits and, when necessary, Privacy Impact Assessments when carrying out non-routine data processing activities.

It should also be noted that the rules on data protection in the UK are unlikely to be loosened by Brexit, despite the fact that GDPR is an EU-wide law. The UK Government has committed to preserving the effects of GDPR in the UK at least until the end of any transition period (if the Withdrawal Agreement is ratified by Parliament) and is likely to then seek an agreement with the EU that the rules should continue indefinitely.



Contact Our Team
Fflur Jones
Managing Partner
View Profile
Owen John
View Profile
Rachel Ford-Evans
Senior Associate
View Profile
Rhodri Evans
Senior Associate
View Profile
Siobhan Williams
Senior Associate
View Profile
Stephen Thompson
View Profile

I have worked with Darwin Gray for a number of years and the level of service, professionalism and timely response is second to none. I would highly recommend Darwin Gray to any business.”

Becs Beslee, Dice FM Ltd

Darwin Gray have provided us with a first-class service for many years now. They really take the time to understand our business and develop relationships which results in advice and support that is contextualised and effective.”

Rebecca Cooper, ACT Training

We have worked with Darwin Gray for several years and have always found their services and advice to be first class.”

Karen Gale, Stepping Stones Group

An extremely professional and sincere company who make time for your queries and understand the need to break down certain facts and information to ensure everything is understood perfectly. I would highly recommend the company to anyone looking for any type of legal advice”

Gwawr Booth, Portal Training Ltd

PSS has worked with Darwin Gray for many years. We have always received an excellent service. Prompt and professional advice and support.”

Ledia Shabani, Property Support Services UK Ltd

We have used several departments within DG recently and we have been very pleased with an effective, efficient and down to earth service. Very happy thus far and I expect that we will continue to use DG.”

Guto Bebb, Farmers’ Union of Wales

Darwin Gray offer us truly superb services. Very professional, quick and services available bilingually which is very important to us, highly recommend.”

Iwan Hywel, Mentrau Iaith Cymru

My “go to” in urgent and time sensitive cases for direction, support and advice. The team are quick to respond to calls or emails for advice and support on all matters. Always explain complex matters in a way a lay person can easily understand.”

Margot Adams, Guarding UK Ltd