It’s been nearly a year since one of the largest reforms of data protection law changes. In the run up to May 2018 employers across the country were frantically preparing vast amounts of new documents in light of the impending implementation of the General Data Protection Regulations (GDPR). A year later we look at some of the goings on…

The Data Protection Act 2018

Shortly after the implementation of the GDPR, the Data Protection Act 2018 (DPA) was also enacted. This replaced the Data Protection Act 1998 and ensured the standards set out in the GDPR were enacted in the UK.

The DPA is designed to ensure that the UK will be able to freely exchange personal data with the EU post-Brexit. When the UK leaves the EU, it will become a 3rd party country for the purpose of personal data transfer and as such it will need to show an adequate level of data protection so that transfers of data between the EU and the UK can continue.  However, this all remains to be seen when the UK exits the EU and on what basis.


There have been a number of ICO penalties issued for breaches of GDPR. Some examples include:

  • Facebook was fined £500,000 for collecting personal data about the Facebook friends of users, without those friends being informed that their data was being collected, and without them being asked for consent.
  • Several charities including Cancer Research UK, Macmillan Cancer Support and The Royal British Legion were fined various amounts for failing to adequately indicate in their privacy notices that personal data may be processed for wealth analysis to identify those who were in a position to donate more money.
  • Uber were fined £385,000 for inadequate security arrangements that led to cyber attackers being able to download a large amount of personal data about drivers and customers.

There were also data protection cases that, whilst not directly enforced by way of fine from the ICO, were particularly relevant in light of the new GDPR. In particular, Morrisons supermarket was held vicariously liable when an employee maliciously misused the personal data of nearly 100,000 Morrison’s employees.  Whilst Morrisons were not blamed for the way it had handled data, it will be responsible for compensating those affected by the employee’s actions. Morrisons have appealed the decision.

The future…

No doubt, there will be some more hefty fines along the way.  If you would like a review of how compliant you are or what you could do to improve your data protection, Omnia has qualified GDPR practitioners who can provide you with a mini audit report at a minor cost to your business saving you from those fines.  Get in touch to find out more details


Omnia’s staff are all GDPR trained and we can offer your staff a low cost GCHQ approved elearning course which only takes 30 minutes – click here for more information.