The introduction of the General Data Protection Regulations (GDPR) in the UK and EU was hard to ignore. Every business in the EU was forced to reevaluate the ways in which they collect, process and store personal data.

But what has changed since it came into effect in May 2018?

Fines and data breaches

The scare-factor of the GDPR was the size and impact a fine could have on businesses, particularly SME’s. Infringement of the GDPR can result in administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater.

In the last year alone we’ve seen the ICO hand fines to the likes of Google (£57m), Uber (£385,000) and Facebook (£500,000) over legacy data breaches.

According to The Register, European data protection agencies have issued fines totaling €56m for GDPR breaches since May 2018. In the first nine months alone, there were 206,326 cases reported in 31 countries across the EU.

However, the GDPR does recognize that small businesses are different to larger enterprises. Article 30 of the GDPR states that businesses with less than 250 employees don’t have to keep the same records as larger enterprises – although there are a few stipulations which businesses probably should follow regardless of their size.


Another piece of news that’s been hard to ignore is Brexit. In June 2016 the UK voted in the referendum to leave the EU.

The GDPR is an EU regulation, so will we still have to comply with it?

Short answer – yes. After the UK leaves the EU, any UK business that processes or collects the data of EU citizens will have to comply with the GDPR. It was also made a part of the law in the UK, forming part of the Data Protection Act 2018, which means that even if we leave, you’ll still need to comply.


The aim of the GDPR was to give individuals more control and visibility over their personal data and how it’s collected, processed and stored by organisations. Cracking down on consumers being tricked into sharing their personal details.

The Right to Access allows data subjects (consumers) to confirm with organisations what information about them is being processed and for what purpose – free of charge. This means that all businesses need to make sure they collect and process data in the right way. Ensuring that information collected is used for a legitimate purpose (and that they can prove it).

To prepare for the GDPR many businesses had to reach out to their customers to re-confirm their consent which saw databases shrink dramatically. The organisers of the Henley Festival saw their database shrink from 24,000 to 8,000 and worried that it would affect their sales and engagement.


The biggest change we’ve seen post-GDPR is awareness. Every entity, whether it’s an organisation, charity or individual has a newfound understanding of the importance of protecting our personal data.

Organisations are bound by the GDPR to be more conscious of the data they handle, and individuals are encouraged to ask more questions before they willingly hand over their personal information.

The impact of the GDPR has been felt worldwide. Any country that now processes or collects the data of individuals that live in the EU is required to comply with the GDPR by law. There is now no excuse for businesses not to be transparent about the way that personal data is used.

Worried about being compliant? All our formation packages come with Legal Plan – our subscription-based legal service for small businesses. So, whether you need to speak to somebody about compliance, or another legal issue you can talk to a qualified professional at an affordable price.