25 November 2018 marked the six month anniversary of General Data Protection Regulation (GDPR) officially coming into effect. Quentin Hunt has been examining the implications of early high profile test cases under the regulations – and reporting on what this might mean for organisations in the future.
Although it adopts the same principle-based approach as the preceding Data Protection Act 1998, GDPR has significantly increased the ability of regulators to impose fines – with the maximum for some offences now set at 20 million euros or 4% of global turnover, whichever is highest.
GDPR has also rendered obligations on data controllers as more onerous they were before, with the consequences for non-compliance more severe and, crucially, less predictable. This renders GDPR a significant business risk that is difficult to assess and mitigate, as three of the early legal cases demonstrate, Hunt says.