All posts

The GDPR State of Play


The Countdown to Compliance

In less than a year’s time we’ll all be waking up and the world will be a different place. It will be a Friday, with the bank holiday weekend ahead, the summer will be about to start and we’ll all have more rights and control of our personal data. We’ll also have to be more responsible about such data that we ourselves hold and we’ll have had, in the eyes of the policy makers, plenty of time to get to grips with that. It will also, in the UK at least, probably be raining!

That day of course is the 25th May 2018 – the day in which Regulation 2016/679 or more commonly known as the General Data Protection Regulation (GDPR) becomes enforceable. There have been many whitepapers, articles, opinions on this subject as well as a healthy smattering of misinformation, scaremongering and the like, of which again there are many articles on. Rather than cover this old ground I’d like to take one look forward at how things could be in the weeks and months following that (probably) rainy Friday morning.

Looking Ahead

The most likely state of play is that the GDPR will not be implemented equally at least initially across affected territories. We know for example that Supervisory Authorities and organisations in Germany, by virtue of its much more stringent existing data privacy legislation, have a lot less work to do in most cases than some of the other EU member states. This is verified by surveys that show that a significantly higher proportion of German businesses believe they will be “GDPR ready” before many of their peers elsewhere.

The same will likely be true across differing sectors. Some appear to be ahead of others in the myriad of GDPR readiness surveys doing the rounds with Legal and perhaps unsurprisingly Technology ahead of the pack.

It’s likely that substantial numbers of organisations will not have completed their compliance projects by this time and indeed its predicted that many will not have even started. Encouragingly, organisations within the EU are much more aware of their obligations under the GDPR than outgoing local legislation. As expected however, the knowledge outside the EU of organisations that hold EU subject data is not as well spread, (larger corporates by in large excepted) and the volume of less well protected data off the continent remains extensive.

The media will continue to report daily cyber security breaches. Incidents will likely be better managed and statistically less likely to occur in those organisations that are compliant with the regulation, however. Fundamentally this will be down to the technical and organisational measures – especially staff training – those organisations would have employed as well as abetter understanding of the risks to their business.

Data Subjects both internal and external will want to flex their new legislative muscles and test their rights and their target organisations processes. It is anticipated that the removal of the fee for Subject Access Requests coupled with the media attention that the enforcement period will bring will cause an initial significant rise in such access requests.

The anticipated volumes of communication that organisations taking the GDPR seriously and who are attempting to re-mediate unlawful data will further bring Subjects’ rights to the fore. Organisations holding large volumes of data that have not positioned appropriate tools to manage this may face significant disruption.

The gulf between those organisations who have taken The GDPR to heart and those that haven’t will begin to widen. Organisations want to (and in this case can be obliged to) do business with like-minded and appropriately protected partners. Recruiters could well see entry to lucrative PSLs excluded, if they can’t demonstrate their compliance for example.

We’re unlikely to open the papers in those early days and read headlines about massive fines. Any financial penalties imposed by supervisory bodies have to be fair, proportionate and dissuasive but as has been the case for the last few years people are becoming more aware of the value of their personal data. Reputational impact will likely do far more damage to an organisation compared with fines, even under the GDPR.

For most us as data subjects, we may well have spent the last few months prior to the 25th May being subjected to consent requests, transparency notices,updated privacy policies from businesses and possibly contractual changes from our employer. We may well be sick to the back teeth of it all from both sides of the fence. Yet I suggest as the rain (probably) runs down the windows, that you think back to the summer of 2017 and ask yourself if you think your identity and indeed your right to privacy is better protected now than it was back then?

For many it will be a hard few months getting to this point in time. For those who embrace the change though, it will be worth it.

Are you going to the Recruitment Agency Expo next week at Birmingham’s NEC? Paul Mather will be on hand, should you need any advice. We’ll be there 4th – 5th October. Come and say hello.

Take a look at our GDPR Hub.

Written by Paul Mather, EU-GDPR-P, EU-GDPR-F and director of operations at Voyager Software, part of Dillistone Group PLC.


Voyager Infinity and Voyager Mid-Office are software solutions that make Recruiters’ lives easier. Voyager Infinity is a CRM used by thousands of recruiters globally to source, nurture and maintain the relationships with their clients and candidates, and Mid-Office manages the entire Pay and Bill process (IR35 ready).