GDPR: One year on.

Nearly 60,000 breaches were reported during just the first eight months following implementation of the GDPR, read on to see if your processes in place?

About the author

+44 (0)20 7556 1453

The General Data Protection Regulation (GDPR) came into effect in May 2018 and is the governing legislation for collecting and processing personal data in the EU. Your HR function should play a contributing role in making sure that everyone in the organisation understands how important data protection is and what employees’ responsibilities are. Twelve months on, many firms are still finding the regulation a challenge and still do not have processes in place. In this article we navigate you through a checklist to see if you have the basics in place.

GDPR creates greater, more uniform data privacy protection for all residents in the EU. Under the legislation, the penalties for breach of the GDPR can lead to a maximum fine of €20 million or 4% of a firm’s annual global turnover, whichever is higher. One of the principle goals of GDPR, is to encourage transparency, which means organisations are now required to disclose how they are collecting, storing and using their employees’ information and they must do so in a way that is clear and simple.



When GDPR was first introduced, as a team we sensed there was a sense of panic faced by our clients around potential penalties. Some put in place tactical plans and implemented policies and procedures in a bit of a rush. Most of them would not have been fully compliant even after putting these in place, as we witnessed through audits, there was so much to do. Implementation of GDPR by itself is not enough, GDPR compliance is a continuous process; it needs to be audited frequently to understand what the organisation has achieved and where improvements still need to be made. Employers also need to embed GDPR into every employee’s (who deal with personal data) way of working.



Across Europe, nearly 60,000 breaches were reported during just the first eight months following implementation of the GDPR and the Information Commissioner’s Office released details of some enforcement action they have taken in relation to these breaches. These breaches include deliberate avoidance of data protection obligations, people not being aware of their responsibilities and simply not understanding the seriousness of a breach. 



Employers need to ensure ongoing staff training is a priority to meet their data protection obligations. This not only applies to existing staff, but training needs to be delivered to new employees and those that have been promoted to ensure they understand the data protection implications of their new role, and how the employer uses data.

Data Subject Access Requests

Data subject access requests

The introduction of GDPR saw an immediate rise in data subject access requests (DSARs), due to increased awareness and no charges. Only a third of organisations currently comply with requests and fulfil DSARs, within the legal timeframe of one calendar month from receipt of the request. 

Subject access requests no longer need to be made in writing. Organisations should enable requests to be made via telephone, webform, social media or in person. Requests also do not even have to use the term - “Data subject access request”, the request just has to be clear that the individual is seeking their own personal data. It is therefore vital that employees who have customer or client contact know how to recognise a DSAR and how to action the request. 

GDPR is a piece of very complex legislation and is an area that will continuously evolve, especially in this political climate. With this in mind, you should start thinking about whether your organisation is GDPR compliant?

Get in touch

Questions to help you establish if you have the basics in place:

  • Have you audited your GDPR practices?
  • If so, do you know if the required processes are in place and frequently reviewed?
  • Do all of your employees who have access/process personal data understand GDPR policies and processes?
  • Have you got a DSAR process in place?

If you are unsure whether your organisation has any of the relevant processes in place, please get in touch with the Buzzacott HR Consultancy team.

Please verify yourself above.
Please complete all required fields above.