Year One Under the GDPR

Now that the GDPR has been in force for a year, the importance of personal

Now that the GDPR has been in force for a year, the importance of personal data is becoming clearer to many people. Awareness of individuals’ data rights, the laws regarding them, and the regulator’s role in enforcing the law are all growing. We conducted research and found a significant increase in the number of people expressing high trust/confidence in the way their personal information was being handled by companies and other organisations. In July of 2018, that figure stood at 34 per cent; a year before, the figure was just 21 per cent. The ICO also conducted a survey of DPOs in March, and roughly two thirds (64 per cent) agreed that more customers and users had exercised their information rights since the GDPR’s adoption. (Note: all percentage figures above have been rounded to the nearest whole number.)

The ICO’s Your Data Matters Campaign has helped to spread awareness of data rights. The goals of the campaign are to foster a greater awareness of the GDPR’s enhancement of individuals’ data protection rights, inform people of how these rights can be exercised, and promoting the availability of our data rights guidance products. Our promotional efforts have increased the number of unique visitors coming to our website by more than two million, or 32 per cent. We have even seen the rise of other compliance assurance services.

We have worked tirelessly to inform, assist, and support the public throughout the adoption of the GDPR. We have taken steps to assist both directly and indirectly. We have a range of different public-facing products and services available. Large and small companies have also taken advantage of the data protection tools and guidance we offer. We have also sought to increase public awareness of how personal information is handled by launching multiple transparency-seeking investigations into data processing practices.

Data Protection Officers

The strong effort to prepare in advance for the adoption of the GDPR encouraged many organisations to significantly alter the way they handled users’ data. Organisations took stock of their existing data-collection techniques, inventoried existing user data, documented data-handling procedures, and checked every step of their process to confirm compliance with the new regulations.

We consider the large number of inquiries we have received from individuals and organisations to be strong evidence of a greater interest in and engagement with data rights issues. The ICO helpline received nearly half a million contacts in 2018 & 2019. This represents a 66 per cent increase over the same period last year. GDPR regulations and concerns have significantly increased the level of responsibility imposed on Data Protection Officers, or DPOs. Normalising the new regulations and ensuring compliance wherever possible has been a significant focus for DPOs in the past few years.

The ICO surveyed DPOs in the course of the DPPC 2019. The majority of respondents reported receiving great support from their organisations. One of the most important challenges in the adoption of the GDPR is encouraging a compliant culture within organisations. This made it encouraging to hear from more than two-thirds of the DPOs we surveyed that the support they received from senior leadership was satisfactory or better. Over 90 per cent of DPOs reported that their organisations had created or updated accountability frameworks to work with the GDPR. 61 per cent of respondents said that understanding of the framework was well spread out across their organisations. Three-quarters of the responding DPOs felt that their senior leaders understood the information rights concerns they have raised and that they (the DPOs) had the support they needed to make these rights fixtures in their organisations.

This is impressive progress, particularly considering how little time has elapsed since the adoption of the GDPR. The job is far from complete, though, and maintaining positive momentum is essential. Fully understanding the new regulations’ impact and making the GDPR a fixture will take more time.


The ICO understands that GDPR compliance has been more challenging for smaller organisations, the sorts of bodies that might not have full-time DPOs on staff. Understanding the full legal ramifications of the GDPR takes time and expertise, and there is no cheap, quick fix to ensure that a small organisation is in compliant. The new regulatory responsibilities are especially onerous for sole traders. This is why the ICO is making a full suite of compliance resources available through their website, including toolkits, checklists, FAQs, and podcasts.