GDPR: All bark no bite, three years on

An image of GDPR, Data, GDPR: All bark no bite, three years on

Three years ago today, the General Data Protection Regulative (GDPR) was introduced as part of EU law on data protection and privacy. However, on its third anniversary, Russell Loarridge, Director UK of ReachFive, argues that the regulation is all bark and no bite.

It has been three years since GDPR legislation came into effect on May 25th 2018. Although setting up GDPR was an excellent move to enable EU – and UK – citizens to gain more control over their data, three years on and this dog is still all bark and no bite. At this stage, despite the hefty fines imposed on some firms for breaching legislation (e.g. British Airways, H&M, and Marriott), it remains little more than a nascent idea that needs to be properly funded and built out.

This is because the legislation requires organisations to self-regulate to report their own breaches and offences to the Information Commissioner’s Office (ICO), who will enforce the regulation. However, who is checking whether an organisation is still GDPR compliant, three years hence? Who is responsible for providing the GDPR rubber stamp? How official – indeed effective – is self-regulation? 

Where’s the GDPR kitemark?

Where, for example, is the kitemark or industry standard, from the likes of the BSI or the ISO equivalent, to reassure consumers that their data is being managed in a way that is GDPR-compliant? When visiting websites and using apps, organisations encourage us to accept cookies as a form of GDPR consent – but is this really acceptable in the consumer’s eye? Is it really in the spirit of the legislation? 

Most people have become immune to cookie requests;  they generally click ‘Accept All’ to get to the online content they were looking for as quickly as possible.  More, therefore, needs to be done to introduce some GDPR kitemark or status of achievement (e.g. Bronze, Silver, or Gold GDPR compliance achieved), in the same way that there are different levels of PCI DSS compliance. This will help alleviate concerns experienced by some consumers and help organisations demonstrate that they are treating their customer data with the privacy it deserves.

Alongside this, over the past 12 – 18 months, more people have shifted their behaviour online because lockdown restrictions forced them to stay at home. They consumed films, played games and shopped online, among other things. Meaning: data shifted online at a pace, along with the heightened potential for data privacy breaches to occur.



Three years on, what has GDPR taught us? Arguably, not much. 

As it stands, self-regulation, a lack of some form of kitemark and, in truth, a lack of enforcement, are no help when it comes to providing confidence to consumers that their data is being treated in accordance with, not only the regulatory requirements of GDPR compliance but the data privacy ethics and values that underpin it.     

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

An image of GDPR, Data, GDPR: All bark no bite, three years on

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

The Metaverse changing the workplace

Luke Conrad • 28th February 2022

We look at the various ways in which the Metaverse will change the workplace and the way businesses operate, with comments from Phil Perry, head of UK & Ireland at Zoom and James Morris-Manuel, EMEA MD at Matterport.