GDPR – A Year On and Has Much Changed?

It is hard to believe that almost a year has passed since GDPR.  This time last year with the 25th May and GDPR looming, companies were worried if they were going to be compliant with the new regulations. GDPR was everywhere you looked, no one was entirely sure what it would look like, and there was a sense of panic in the air.

One year on, what has changed? Has GDPR been as scary as we first thought?

After speaking with some clients, I think it is very much industry dependent.  Those who deal with large amounts of data on a day to day basis have found GDPR to be positive. They are more conscious of what they are doing with personal data and have tightened up their current processes.  Some have even said that they are glad there is no longer a charge for a DSAR (Data subject access request) as they used to find it difficult explaining why customers would have to pay to get their personal information.

Subject Access Requests

There does however seem to be some confusion around a subject access request.  There have been instances where companies had advised individuals they need to make the request on their form or in writing.  This isn’t the case as there is no prescribed format to request a DSAR, if someone verbally asks for their information then this is still a request and must be dealt with.

Also, there is still confusion around what information should be sent in a DSAR. For example what if you have an employee who has been with you for ten years?  Does that mean you have to post every single email, letter, memo with their name on?

All of these questions should be addressed and reflected in the process.  Some have said that the reduction in the timescale from 40 days to 30 has also helped as they ensure that they are dealt with straight away rather than last minute.  It is important to revisit all of your policies that were introduced this time last year and ensure that is what is happening in your business.


One of the significant changes from GDPR was consent and the change in definition.  Consent has to be given freely, which means that it can no longer be in a contract as there is an imbalance of power, so is unlikely to have been ‘freely given’.

Also due to the amount of press GDPR received last year, more people were aware of their rights and are asserting these which has led to an increase of around 27%  in the number of complaints received by the ICO, alongside more breaches reported by businesses.

The ICO is now in a backlog with these cases as they do not have the resource to deal with the increase.  Although my advice would be not to bury your head in the sand and think that the ICO is only going to go after the big companies like Google and Facebook, it’s best to learn from their mistakes and ensure you are falling foul to the same errors.


So a year on, how do you feel about GDPR? Do you feel more knowledgeable about the regulations and how these fit into your business or are you as confused as ever?

Do you want your business to be GDPR complaint and ensure your data protection processes are prioritised in the future?

At Altum HR we can help you review your processes and do a full contract and handbook review to ensure that the necessary changes have been made and that you are compliant.

We can also help you create any templates that you may need while introducing any changes you might need to make.

We’d be happy to answer any of your GDPR related questions and ensure you are in a much better position than when you started and leave you feeling more knowledgeable and secure on the whole subject.

Get in touch for your free 30-minute consultation to discuss how we can help you ensure you know what you need to do, and how to do it now that the dust has settled with GDPR.

This blog was written by Michelle Miller, HR Consultant and our resident GDPR expert!

Subscribe to Our Newsletter!

Get in touch!