GDPR - what is the state of affairs, post 25th May?

Nathan Baranowski

Cast your mind back to May 24th: t’was the night before GDPR and all through the land, businesses panicked at their upcoming plans. Would training do the trick, did the new rules really stick? Would the ICO come down hard like a big ton of bricks? With one night to go, time had run out: no more meetings to raise any lingering doubts.


Finally, May 25th rolled around and GDPR took legal effect. For those who spent the last few years living under a rock only to resurface in June, GDPR is the reason you’ve been asked permission to collect cookies when visiting websites and why your inbox was inundated with emails about updated privacy policies.

Now that the dust has started to settle and businesses have had time to adjust to the new regulation, what progress have we made as a nation in protecting the rights of our citizens?

The bad news

In February this year, the Federation of Small Businesses (FSB) published a report that stated 90% of small firms were not prepared for the impending rule change. Come May 25th, this statistic hadn’t much improved. Reflecting on their findings, national chairman of the FSB Mike Cherry stated: “the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant”.

Considering the well-publicised penalties for non-compliance with the GDPR, these figures are troubling to say the least. Having had two years to prepare, the number of firms still uncertain or even unaware of their new requirements is not only concerning, but somewhat confusing.

How did we get here?

According to Luther Teng, EY’s risk advisory senior manager, a large portion of the small businesses who were not “GDPR-ready” by May 25th were those that had prioritised certain aspects of the regulation over others in a struggle to complete everything over time. Rather than opting for a step-by-step or “clause-by-clause” approach, businesses focused their attention on the areas that seemed the most business critical. In doing so, they missed or misunderstood several key aspects of the regulation.

However, the complex nature of the legislation itself didn’t help things either. Despite the abundance of blogs, business lunches, conferences and workshops aimed at educating leaders, managers and employees on the matter, the simple truth is that the regulation left a lot of room for misinterpretation.

Based on general principles rather than stringent rules, GDPR shape-shifted with each business’ interpretation of its aim: some falsely believed it was the end of their marketing altogether while others wrongly thought GDPR didn’t even apply to them due to their country of residence. As the clock ticked down to the GDPR deadline date, small businesses naturally found themselves clinging to the principles they at least understood to be important and parked the rest. 

The silver linings

Since May 25th, the impact of GDPR in practice has been hard to miss: from the tsunami of privacy policy emails begging contacts for consent to the creative pop-ups warning of cookie collection, it’s clear that thousands of companies took head of the warnings - if anything, a little too much. Caught up in the panic generated by media reports regarding crippling fines, many businesses will “over-comply” - then again, there’s nothing wrong with being vigilant.

Already, GDPR compliance is acting as a competitive advantage for firms who have demonstrated a commitment to data protection. Of course, this comes as no surprise: good behaviour builds trust. Those who understand that GDPR is not a deadline, but a fundamental part of the business’ core strategy will naturally be favoured by customers over those who lag behind own regulatory compliance. Since the date of enforcement, this has been illustrated by the number of GDPR focused supply chains who have retained and won contracts over their non-compliant counterparts.

Now that the initial panic has subsided, companies have the chance to turn a compliance burden into a competitive edge - but first, they must ensure their workforce is equipped with experts to champion the cause and leaders to weave data protection into the fabric of the company strategy. As cyber-crime becomes increasingly prevalent and headlines of high profile data breaches fill the news, the real winners will be those with a strong defense.

At ojo solutions, data and information security are a core focus. We help firms maximise the value from their technology investment and help drive digital transformation undertakings from the ground up. Get in touch with us today and find out how we can help you.


What is the right way to teach coding to younger generations?

May 16 2019 Tom Passmore
Cyber Safety

Should tech giants take responsibility for our children’s safety?

May 13 2019 Nathan Baranowski

A helping hand: working alongside AI

April 29 2019 Nathan Baranowski