Showcasing the Best of Welsh Business

Life Before and After GDPR


This month marks the one-year anniversary of the General Data Protection Regulation (GDPR).

The introduction of the GDPR saw a root and branch reform of the way in which UK businesses gather, store and process personal data. Many businesses thought that the GDPR would be the new millennium bug – thankfully it was not.

Before the GDPR, unless in the business of buying and selling data or were handling large volumes of sensitive data, businesses were largely oblivious to their legal obligations in relation to dealing with personal data. At most, for many, an annual application would be made to the Information Commissioner’s Office (ICO) for an appropriate registration and certificate.

The GDPR, also known as the Data Protection Act 2018, saw mixed responses from UK businesses when it came into force on 25 May 2018. Some took a sensible measured approach towards the oncoming legal changes, sending staff on courses, appointing a Data Protection Officer and reviewing their internal practices and procedures. Others adopted a more laissez faire approach, or simply did nothing.

Since the new Act came into force, a smattering of high level ICO prosecutions have hit the news headlines. However, what is not widely reported is that many of those have been under the old data protection rules, having already been in the system when the new Act came into force.

In addition to the headline-grabbing cases, there have been some interesting lower level prosecutions involving individuals. When individuals are subjected to prosecution and fines, people are much more likely to take notice and examine their own practices, than when they see huge data breach fines for large multinationals.

Post GDPR, generally speaking, it appears that the majority of businesses are being more responsible in the way that they gather, store and process personal data. Many businesses have used the GDPR as an opportunity to get their house in order in relation to how they deal with personal data.

Since the new Act came into force there has been a variety of guidance released from the ICO in relation to a range of issues. Going forward, more is expected, particularly in relation to the use of the “legitimate interest” ground for processing personal data.

There is also a lot of interest in how Brexit will affect GDPR – the outcome of that process remains to be seen. However, what we can be sure of is that our data protection obligations in England and Wales will at the very least remain the same. Businesses that want to continue to exchange personal data with their European counterparts will need to ensure that they stay on top of how they deal with personal data. It is important that they do not become complacent otherwise they may find themselves being classed as “second-class citizens” in a post-Brexit data processing era.


Darwin Gray is a commercial law firm based in Cardiff. We are proud of our reputation for using a practical and solution-focused approach when helping our clients.

We have a strong team ethic, putting approachability, consistency and quality at the heart of everything we do. Your business will always be at the forefront of our minds, whilst ensuring you also receive excellent value for money.

We specialise in a number of commercial areas, including:
– Commercial Property
– Franchising
– Corporate and Commercial
– Employment and HR
– Intellectual Property
– Social Housing
– Data and Data Protection
– Dispute Resolution
– Insolvency
– Construction

Our work reflects our values; we are genuinely friendly people who are approachable and accessible to our clients. The Darwin Gray approach is thorough and careful, but we are also known for reacting quickly when it matters and providing creative solutions to whatever challenge our clients are facing, drawing on our rich and varied experience.

We endeavour to prevent problems as well as solve them, and would love to get to know you and your business.


Related Articles