GDPR: All bark no bite, three years on

Three years ago today, the General Data Protection Regulative (GDPR) was introduced as part of EU law on data protection and privacy. However, on its third anniversary, Russell Loarridge, Director UK of ReachFive, argues that the regulation is all bark and no bite.

It has been three years since GDPR legislation came into effect on May 25th 2018. Although setting up GDPR was an excellent move to enable EU – and UK – citizens to gain more control over their data, three years on and this dog is still all bark and no bite. At this stage, despite the hefty fines imposed on some firms for breaching legislation (e.g. British Airways, H&M, and Marriott), it remains little more than a nascent idea that needs to be properly funded and built out.

This is because the legislation requires organisations to self-regulate to report their own breaches and offences to the Information Commissioner’s Office (ICO), who will enforce the regulation. However, who is checking whether an organisation is still GDPR compliant, three years hence? Who is responsible for providing the GDPR rubber stamp? How official – indeed effective – is self-regulation? 

Where’s the GDPR kitemark?

Where, for example, is the kitemark or industry standard, from the likes of the BSI or the ISO equivalent, to reassure consumers that their data is being managed in a way that is GDPR-compliant? When visiting websites and using apps, organisations encourage us to accept cookies as a form of GDPR consent – but is this really acceptable in the consumer’s eye? Is it really in the spirit of the legislation? 

Most people have become immune to cookie requests;  they generally click ‘Accept All’ to get to the online content they were looking for as quickly as possible.  More, therefore, needs to be done to introduce some GDPR kitemark or status of achievement (e.g. Bronze, Silver, or Gold GDPR compliance achieved), in the same way that there are different levels of PCI DSS compliance. This will help alleviate concerns experienced by some consumers and help organisations demonstrate that they are treating their customer data with the privacy it deserves.

Alongside this, over the past 12 – 18 months, more people have shifted their behaviour online because lockdown restrictions forced them to stay at home. They consumed films, played games and shopped online, among other things. Meaning: data shifted online at a pace, along with the heightened potential for data privacy breaches to occur.



Three years on, what has GDPR taught us? Arguably, not much. 

As it stands, self-regulation, a lack of some form of kitemark and, in truth, a lack of enforcement, are no help when it comes to providing confidence to consumers that their data is being treated in accordance with, not only the regulatory requirements of GDPR compliance but the data privacy ethics and values that underpin it.     

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech