GDPR: Has Anything Really Changed?

One year on from industries around the globe collectively messing their delicates in the run up to May 25th 2018, the General Data Protection Regulation came into force.

Desks enjoyed fancy new GDPR Auditor roles.

Data Protection Officers were brought in or appointed.

There was a tonne of training rolled out to staff in virtually all disciplines.

And you could define a Processor or a Controller without even thinking about it.

Then there was the rabid flurry of emails from companies we hadn’t heard from in years, mailing lists we couldn’t remember signing up to, various entities claiming to care about your privacy…”

That all went on for a few weeks and then…



So what happened?

Was GDPR the millenium bug of its day? A lot of fuss over a damp squib? Or has it done it’s job and we’ve not really noticed?

I wrote about GDPR in the run up to it coming into force. Call me a massive policy nerd if you like (I’m actually a regular sized nerd) but there’s something about the threat of a 20 million euro fine that’ll pique my interest.

So I thought it’d be fun, or at least useful, to look back on a year of GDPR, to see whether the furor was justified. And crucially, whether it’s actually done anything.

Last year, I made a number of bold predictions. Including one on the subject of €20M fines:

“I reckon it’s between recruiters and the insurance industry to see who cocks up first. And I just have this feeling that the first to do so will be made an example of…”

On this, I’m happy to hold my hands up and say I got it wrong.

Turns out big tech had everyone over a barrel before we knew what was happening.


There’s been a couple of big scalps:

Facebook were fined half a million pounds. Mere pittance to Zuck and chums. But it came off the back of a handful of data-misuse cases and knocked several billion pounds off the company’s princely valuation.

Agencies with Facebook as a client must have been reeling.

To put it in perspective, the maximum fine of 4% turnover would work out to about £1.5 billion for FB.

More recently, Google was dealt an absolute whopper: €50M. Much larger, admittedly, although only representative of about 0.4% the big G’s total valuation.

This was, according to French regulator CNIL, due to “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.

And the Facebook thing was because they “processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent…”

A lack of transparency. Inadequate information. Processing personal information without consent.

Scroll through LinkedIn and you’ll find a rant or two about Recruiters for the very same reasons. And if you think recruitment’s exempt from this kind of thing, that it’s only something massive tech companies have to deal with, think again:

Our number one commodity’s data. And we’re subject to the exact same rules.


Since GDPR, over 200,000 cases were reported to authorities. Almost half were complaints. About a third involved breaches of data.

Recruiters are more active in their candidate’s lives. In part because something like a CV is a treasure trove of valuable data. And languishing on a database represents either a missed opportunity or a potential breach.

Consumers in general, ourselves outside of recruitment included, are more aware of our responsibilities as both Subjects, Controllers and Processors of data.

And both candidates and clients are more selective of the agencies they choose to represent them.

But what else has come of it?


Job Creation

I mentioned GDPR specific roles, which means GDPR desks.

An increased number or reports lodged regarding data breaches mean the number of incidents has sprung up recently. The Irish Data Protection Commission’s grown four times in the last few years. And as data forms more of a part in our daily lives, you can only expect to see this increase.

Until they get robots to do all the work for them.

Privacy By Design

This was something set out in GDPR which hasn’t necessarily been uptaken with the vigour the regulation encouraged. Privacy by design means data security’s something that has to be built into systems by default, rather than packaged as a nice-to-have add-on.

Raegan MacDonald, Head of EU Public Policy at internet company Mozilla told The Next Web:

“Many companies appear to be interpreting GDPR as narrowly as possible. I’m concerned that privacy is still by default put at risk without users understanding or having meaningful control”

MacDonald mentions a ‘grace period’ ending in 2019, where companies will have to start taking this measure seriously. Or risk being caught.


Didn’t think you’d get to the end of an article on a piece of EU legislation and have this not come up did you?

Last year I said:

“If and when Brexit finally goes ahead then GDPR may not even apply. Because it’s EU legislation, there’s no obligation for the UK to retain it, post-Brexit, currently scheduled for April 2019”

Although given the extent the UK government and the ICO were involved in GDPR, it was always likely we’d come up with homegrown regulations that very closely resemble it anyway.

Enter the Data Protection Act of 2018 (superseding the DPA ’98, that old chestnut).


Data Protection

Recruiters have always been protective over the data of the people they do business with.

How often have you given your best client’s number out?

You won’t tell your candidates who the client is until the blood’s dried on their NDA.

I don’t know a Recruiter who wouldn’t forcibly blind someone – a colleague, friend, or otherwise – if they even caught a glimpse of some of the more rogue emails they send to clients.

Which sounds harsh. But Recruiters have always taken protecting data seriously. And long may it continue.

It’s our number one commodity. And we’ve always had a vested interest in safeguarding it. Which is one reason our candidates leave the recruitment process happy and we with a fee.

Has GDPR worked?

I’d argue GDPR’s been a success. In part because it’s reset expectations regarding data ownership. The onus of control’s firmly in the subject’s hands. And that can only be a good thing in the Digital Age.

GDPR’s also holding big firms to account. Financially, for a change.

Although there’s still a job to do. Diligence is an ongoing effort. And a recent Hiscox survey revealed almost half of SMEs don’t know who GDPR affects.

As we reach the big G’s first birthday, it’s worth considering the big fines levied at Google and Facebook may well have been used to make examples of the highest profile wrong-doers.

Entering year two, and GDPR might start showing less tolerance across the board. A lot of reports say the first year’s been a ‘transition year’, and more about ensuring compliance than enforcing fines.

Not something to risk, either way.