‘The GDPR: One Year On’ - looking back on the GDPR, what have we learnt and what should we focus on going forward – Part 2

‘The GDPR: One Year On’ - looking back on the GDPR, what have we learnt and what should we focus on going forward – Part 2   


In part one Laura gave us an overview of the GDPR, reminded us of the lawful bases for it and discussed the discrepancy between what was thought would happen post-implementation, and what actually occurred. Here she explores some of the key developments and shares what we can expect in years to come. 

Key developments

Some of the key developments since the GDPR’s implementation can be categorised as follows:

  • Individual’s rights requests
  • Personal data breaches
  • Consent and transparency

 Individual rights requests

Individual’s are now more aware, but organisations are not responding in the correct way. The new individual rights brought in by the GDPR are:

  • Right to erasure (aka the right to be forgotten) e.g. with dating apps like Tinder there has been disputes around how long they can store old conversations
  • Right to restriction
  • Right to portability
  • Right to object
  •  Right not to be subject to automated decision-making

With this in mind, organisations need to be more vigilant in preventing individual rights breaches. Laura suggested the following actions, to:

  • set-up effective communication channels
  • clear internal policy and procedure
  • operationalise the policy and procedure: educate and test – you need to test your policies i.e. how can you make sure they’ve been read? This could be done by delivering them in bitesize training, arranging drop-in sessions, and arranging a test to learn from and inform your next step in this process
  • use external counsel – it may be better to outsource due to the sheer volume of work that the GDPR creates and to obtain expertise
  • Record action taken
  •  future review

Personal data breach

This is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration unauthorised disclosure of, or access to personal data which is transmitted, stored, or otherwise processed. Hence, this can be more than just a rogue e-mail, it can include something broader like access to HR files.

For the process of reporting a data breach, see diagram below:



Of these breaches, most of them have been unauthorised disclosures. For example, Marriott International

Subscription Form

Related Articles:
Latest Articles:

Already a subscriber? Login
RELX (UK) Limited, trading as LexisNexis, and our LexisNexis Legal & Professional group companies will contact you to confirm your email address. You can manage your communication preferences via our Preference Centre. You can learn more about how we handle your personal data and your rights by reviewing our  Privacy Policy.

Access this article and thousands of others like it free by subscribing to our blog.

Read full article

Already a subscriber? Login

About the author:

Claire is a paralegal is the LexisAsk and Commercial and Sectors teams at LexisNexis teams. She previously did a law conversion at BPP Law school and plans to study the LPC latterly. She is an English literature graduate and hopes to combine her studies by pursuing a career in the IP sector.

Claire is a keen member of the LexisNexis Singers and practices with them weekly. Outside of work, Claire is a keen hockey player and cyclist and brings this energy into everything she does in her job.