Latest News

GDPR: All bark no bite, three years on

Written by Russell Loarridge, Director, ReachFive.

It has been three years since GDPR legislation came into effect on May 25th 2018. Although setting up GDPR was an excellent move to enable EU – and UK – citizens to gain more control over their data, three years on and this dog is still all bark and no bite. At this stage, despite the hefty fines imposed on some firms for breaching legislation (e.g. British Airways, H&M, and Marriott), it remains little more than a nascent idea that needs to be properly funded and built out.

This is because the legislation requires organisations to self-regulate, to report their own breaches and offences to the Information Commissioner’s Office (ICO), who will then enforce the regulation. However, who is checking whether an organisation is still GDPR compliant, three years hence? Who is responsible for providing the GDPR rubber stamp? How official – indeed effective – is self-regulation? 

Where’s the GDPR kitemark?

Where, for example, is the kitemark or industry standard, from the likes of the BSI or the ISO equivalent, to provide consumers reassurance that their data is being managed in a way that is GDPR-compliant? When visiting websites and using apps, organisations encourage us to accept cookies as a form of GDPR consent – but is this really acceptable in the eye of the consumer? Is it really in the spirit of the legislation? 

Most people have become immune to cookie requests;  they generally just click ‘Accept All’ to get to the online content they were looking for as quickly as possible.  More, therefore, needs to be done to introduce some sort of GDPR kitemark or status of achievement (e.g. Bronze, Silver, or Gold GDPR compliance achieved), in the same way that there are different levels of PCI DSS compliance. This will help alleviate concerns experienced by some consumers and, indeed, help organisations demonstrate that they are treating their customer data with the privacy it deserves.

Alongside this, over the past 12 – 18 months more people have shifted their behaviour online because lockdown restrictions forced them to stay at home. They consumed films, played games and shopped online, among other things. Meaning: data shifted online at a pace, along with the heightened potential for data privacy breaches to occur.


Three years on, what has GDPR taught us? Arguably, not much. 

As it stands, self-regulation, a lack of some form of kitemark and, in truth, a lack of enforcement, are no help when it comes to providing confidence to consumers that their data is being treated in accordance with, not only the regulatory requirements of GDPR compliance, but the data privacy ethics and values that underpin it.