GDPR One Year On

GDPR One Year On – what was the hysteria about?

Crystel Rynne HRLocker Blog

The arrival of GDPR last year caused quite a stir across companies of every size. It came in like a silent partner which then waged an all-out war on every possible piece of information that may have been considered as ‘personal data’. All common sense was thrown out the window and CTOS, CFO’s and CEOs alike were left quaking in the corners of their offices while their GDPR consultants tore rosters off the wall, password protected filing cabinets and sacrificially burnt anyone that might cause a data breach. GDPR consultants were hired and Data Protection Agreements were drafted for all systems, contractors, cats and dogs alike.

On the morning of the 25th of May 2018, people casually sauntered to work pretending that they weren’t afraid of what was waiting for them – what would this GDPR monster look like? Would they be able to login to their computers? Were they able to text co-workers to meet for lunch or was that going to be seen as a data breach? Were we all going to be dragged before our Data Protection Officers and brought to the slaughter? The fear was palpable… and then the days and week just continued on. One year on and what has really changed in our businesses?

GDPR instructs organisations who are collecting personal data to ensure that the data is gathered legally, kept securely and only for as long as needed. Ultimately, the data collector is responsible to keep your data safe, only use it for the intended use and not to exploit it. With the introduction of GDPR came the power for companies to be issued with fines if they were found to be mishandling personal data.

Here are two examples of personal data processing that might make it clear to you:

Example 1: Cambridge Analytica used the personal data from Facebook users’ personality tests to create voter profiles and in turn advertised politically motivated messages to them –  this is a bad use of data as this was not the intention that the user had when giving their data.

Example 2: A company processing and securely storing an employee’s bank details for payroll, this is the intended use of the employee’s data as the employee wants to get paid, which makes this a good use of data.

So, what have we learned a year on and what was all the fear about? We have learnt that the postal service has removed all rubbish bins from their post offices in fear of a data breach, that visitor books and condolence books are apparently a cause for GDPR concern as well as poor Santa’s list. All this knowledge unfortunately does not help me or anyone run a company!

Fear is ultimately bred out of the unknown, and that is what GDPR is: it is a 56,000 word piece of legislation that struggles to give clear direction and definitions to companies. Companies are struggling to define the essentials such as what defines ‘personal data’ and what their basic responsibility is under this new legislation.


Don’t be afraid! Why not BOOK A CALL and let us know what you need.


If you have not read the 261 pages of the GDPR article and are not really sure what your company should be doing about GDPR – don’t panic. I’ll tell you the core of what this mammoth document is telling you to do:

1)    Assess what data your company is collecting, this includes all your employee data, your customer data and your marketing data. Ask yourself why are you collecting it? If you don’t know why, it’s quite simple – stop doing that immediately!

2)    Look at the data that you need to be collecting and review the policies that you have in place. If you have a reason for collecting it you need to create a policy that makes sense, both for your company and GDPR.

3)    You need to ascertain if you are a processor or a controller of the data you are collecting, and the purpose is for the information. Policy is key here, there are certain things that you are required by law to retain for a predefined period, for example financial information, payslips, invoices. But for every piece of personal data that you are keeping, ask yourself – why am I keeping this and how long do I need to keep it for? For example, If an employee has left your employment – do you need to retain their photograph on file? If you do – why? Creating a policy around your data storage, retention and processing is your number one priority and the key to becoming GDPR compliant.

4)    Privacy by design and default is the essence of GDPR – write it down, put it up on the wall, burn it into your mind. But what does it mean? To put it in simple terms, any action that a company takes when processing or collecting personal data must be done with data protection and privacy at the centre, it cannot be an afterthought. Data protection and privacy must be at the core of every process, procedure or policy that you do in your business.


I am by no means dismissing or devaluing the significance of GDPR. What GDPR has done is bring the EU’s data protection legislation into the 21st century, but ultimately the fundamentals of data protection have not changed. Privacy by design is not a new concept, this has always been a part of the data protection laws.

Companies who were selling data and passing on information to marketing agencies without users’ consent were in breach before the 25th of May 2018. If a company sent the wrong employees’ payslip to an employee, this was a data breach before the 25th of May 2018. Regardless of the unnecessary mass hysteria that GDPR has brought there have definitely been some positives. GDPR has brought an awareness to the amount of unnecessary personal data organisations are and were retaining, it has forced individuals to understand the importance of their personal data and it has also brought responsibility. Regardless of whether you are Mark Zuckerberg or Bill Gates, as a company owner or leader you have an obligation to ensure that any personal data that your company is storing is secure and necessary. It is no longer possible for people to plead data ignorance.

Its really important to remember that taking responsibility for Data Integrity is not just down to IT. Being proactive and on-the-ball with who you keep information on, what detail you choose to retain (and for how long), where and who you store data with – and why – is vital in any top-level discussions on the subject. (Some pointers for UK and Ireland.)

You may well need to adjust your budget or increase your resources to ensure you have your company covered and are not posing undue risk to your the organisation.

If you’d like to and out more or schedule an account review to make sure you’re getting the most from HRLocker then please BOOK A CALL with one of the team.





GDPR One Year On – what was the hysteria about? was last modified: August 22nd, 2019 by Crystel Rynne

Share this Post