GDPR’s surprises and shocks, so far

Later this month GDPR is a quarter of a year old. Before it came into force the hype said big shocks were in the pipeline – so far, the biggest shocks relate to what countries outside of the GDPR region have been up to, or indeed, not up to.

For consumers, the data subjects themselves, the ones who are supposed to benefit the most from GDPR, the biggest shock so far relates to how difficult it is to move without bumping into a privacy agreement.

It is coming up to three months since GDPR became enforceable. Predictions that GDPR would be like the millennium bug always were absurd. Even the most pessimistic of doomsayers conceded that the millennium bug would be an instantaneous thing – as the clocks struck and the new millennium dawned, they warned computers would start crashing. In Europe, we already knew it wasn’t going to be like that during the last few hours of December 31st 1999, because nothing like that had happened in time zones that had already passed into the 21st Century. GDPR, by contrast, was always going to be on a long burner. If its purpose is to stop the emergence of an Orwellian state, then it’s a purpose that will always be with us.

Privacy policies are a different matter. If GDPR is about creating trust between data subject and controller, then the fact you can no longer view content on a website without clicking boxes on privacy policies you won’t read, is not going to support that trust.

Privacy by Design may be the eventual solution – services that have privacy considerations built into the core. Until that day when Privacy by Design is an accepted practice, it will be hard to say whether GDPR is working.

Steve Wright, Data Protection Officer and Information Security Officer at The John Lewis Partnership, told us that he thought “people are probably signing up to privacy policies purely out of frustration, they scroll down and say ‘just get out of the bloody way,’ and we may have just frustrated someone just to appease the compliance department.” But he says there is something bigger at play: “as consumers, we have to go in eyes wide open we have to be savvier, but we are at the beginning of a journey that we will get smoother. It will get more integrated.”

So, that’s the first two shocks and they interconnect. Consumers had the shock of finding a new barrier to their website browsing, and we need to give GDPR time – it’s the antithesis of the millennium bug, in that respect.

The biggest breach shock was not a breach, apparently – at least Mark Zuckerberg said it was a breach of trust, not data. But it occurred before the GDPR came into force. The Facebook/ Cambridge Analytica saga brought home to people how data could indeed take us towards an Orwellian state. It was the perfect backdrop to introduce GDPR to the world. Poor PR has meant that this raison d’être of GDPR has not sunk into the public’s consciousness yet. Facebook was fined, of course, a shockingly small £500,000, but the subtlety was lost. The fine was so small because it related to an incident that occurred before GDPR came into effect.

Almost as big a shock relates to US indifference – sure certain states such as California are bringing in GDPR light, but the US government is not for turning. Instead, the US Commerce Secretary, Wilbur Ross, suggested that GDPR is just a weapon being used by the EU to fight a trade war – may be an Orwellian future is the price Europe must pay to keep Uncle Sam happy.

Meanwhile, China is introducing a social credit system – you get points by behaving as a good citizen, by being responsible and not doing unreasonable things like criticising the government.

US Senator, Bernie Sanders called data a threat to democracy – but since China does not believe in democracy, there is maybe no shock in the news of its social credit system, it is still shocking.


The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.

Ahead of the end of year event, DPWF has launched a series of intensive workshops.

Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/