CEO OF VIGILANT
adly, not what it
should have been.
The ICO has a
12 to 15-month
so it’s still dealing
action against breaches that happened
under the old Data Protection Act.
What we got was a big drive up to and on
May 25 where organisations tried to get
something like GDPR compliance in place
but in truth, from a regulatory standpoint,
very little has since happened.
Many organisations are going ‘well we
didn’t really need to do that, there’s no
fines, there’s no regulation so we’ll just
go back to what we were doing’, which
means a lot of them are in for a nasty
shock in a couple of months’ time when
fines and so on start appearing.
Apart from an increase in the number
of data breaches reported to the ICO
in the UK, both by data controllers
and through complaints from data
subjects, the reality is that I don’t think
we’ve seen any significant change in
I think most of the change is still to
come, and that the maxim ‘the GDPR is a
journey, not a destination’ will be proved
true over the next three to five years.
If you look at the ICO’s website, you’ll
see there’s new regulatory action being
taken every month, so it’s not as though
the ICO is not doing anything – it just
If a breach is reported on May 26 2018,
there’s no way you’ll get a decision and
a fine much before June 2019, because
the Information Commissioner has a
backlog of investigations.
She must decide which ones to
investigate and the ICO itself has a
relatively small team so there’s a lot of
organisations she doesn’t have time to
investigate. She has to find out the truth,
negotiate an outcome, issue it – and all
that takes time.
I think most of the
change is still to
come, and that the
maxim ‘the GDPR
is a journey, not a
destination’ will be
proved true over
the next three to