Alex Ha Kyung Kim provides an update on the key developments in regulatory guidelines and enforcement actions, sharing key takeaway points and his outlook for the near future.


Emma Bufton: Hi everyone my name is Emma Bufton and I am a Senior Associate at Gowling WLG and I also co-chair ThinkHouse Foundations, a network for inhouse lawyers at the start of their careers where we provide tailored training, development and resources for lawyers up to five years PQE.

At our most recent ThinkHouse Foundations event, Alex Kim, an Associate in our Commercial, IT and Outsourcing team, gave an update on GDPR and where we are now just over a year after the new legislation came into force. So Alex, firstly, what trends have you come across in the first year since GDPR came about?

Alex Kim: Well, the ICO's report titled, GDPR One Year On, published at the end of May this year, provides a very useful illustration of how the world has reacted to this new law. For example, the ICO received over 470,000 contacts from businesses and individuals in 2018 to 2019. This is a 66% increase from the previous year showing a clear heightened interest in GDPR. Also there were approximately 14,000 breaches reported to the ICO by organisations; a significant rise from the previous year which was 300,000, however, only 17.5% of these notifications actually required action from organisations. On one hand, this means organisations are proactively taking action to comply with GDPR's breach notification requirements. On the other hand, the low percentage requiring action does show that organisations are finding it difficult to assess whether a breach should be reported or not.

Emma: Thanks Alex, that is interesting. So GDPR has not been ignored since it came into force. Actually, the very opposite seems to have happened. Did the ICO have any comments about complying with GDPR going forwards?

Alex: In a separate blog post which was released on the same day as the One Year On report, the Information Commissioner, Elizabeth Denham, did make some interesting remarks. The one to note is where she said, "The focus for the second year of GDPR must be beyond baseline compliance, i.e., organisations need to shift their focus to accountability with a real evidenced understanding of the risk to individuals in the way they process data and how those risks should be mitigated." In practice, this means organisations should be reviewing their accountability programme. This includes, just to name a few, making sure that the records of processing is up to date, the general data protection policy is in place and training is regularly rolled out to staff. The Commission also remarked that a well-supported and resourced Data Protection Officer is fundamental to GDPR compliance.

Emma: Ok, got it, thanks. I guess one of the key questions with the introduction of any new law is how it is going to be enforced. We saw in the lead up to GDPR, headlines about the massive fines companies, who are in breach, can expect. Has the ICO carried out any enforcement actions which people should know about?

Alex: I think everybody has been waiting for that big statement-making action. Strangely enough two big announcements from the ICO came in one single week in July this year. One against British Airways and another against Marriott International. Both companies had the same underlying issue. Their security systems were deemed to be inadequate and this had reportedly resulted in unauthorised disclosure of customer data. The size of the fine is what caught people's attention. £183,000,000 for British Airways and £99,000,000 for Marriott. One thing to point out, these are not final fines imposed by the regulator. These are all a notice of intent to fine meaning that British Airways and Marriott can present their arguments to defend their positions. I will be keeping a very close eye on how these actions progress.

Emma: It is difficult not to mention the "B" word at the moment. Can you give us a bit of a steer on what impact Brexit might have on GDPR?

Alex: Well, the good news is even with a no-deal Brexit the data protection laws in the UK will remain the same. The government has confirmed that GDPR will remain UK law which means all the effort that organisations have put in so far, and are continuing to put in to this day to comply with GDPR, that has not been a waste of time. The issue to watch out for is international transfer of data. In a no-deal Brexit, transferring data from the EU to the UK is likely to require putting in place certain appropriate safeguards, most commonly, in the form of the model clauses. So, our recommendation for UK companies that do receive personal data from the EU is that they should start identifying the details of such transfers as a way of preparation for a no-deal Brexit. Thankfully, it does not seem like the transfer of data from the UK to the EU will require any additional measures by companies for the moment. The UK government has clarified as such.

Emma: Thank you, Alex, for those insights which I hope everyone listening has found useful. If you do need any further guidance on anything raised in this podcast then please do not hesitate to contact Alex direct. Thank you.

Alex: Thank you.

Read the original article on

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.