GDPR one year on – will your organisation pass its GDPR MOT?

by Guy Bradshaw on 11th June 2019

It’s just over a year now since the implementation of GDPR. This time last year you couldn’t move for GDPR information, advice, guidance and help. However, in all the rush to get ready for GDPR in 2018 very little attention was paid to the need to monitor processing for continuous improvement. One year after GDPR, less than 60% of organisations believe that they are compliant. Data breaches are common, some involving huge brand names, and consumers are more concerned than ever about the security of their data. GDPR is very much a live issue still.

With the first anniversary of GDPR passed, it’s time for many organisations to conduct their annual review, and increasing concern about how these reviews can take place without disruption to business as usual. GDPR compliance is not a static thing. You don’t achieve compliance and then sit back, job done. It’s a continuous and evolving thing. Your data environment changes all the time, so you need to be mindful of that to ensure that your GDPR compliance keeps pace.

The ICO has always made it clear that it views GDPR compliance as a journey rather than as a destination. Even if you were completely compliant on day one of GDPR, you can’t assume that you will still be compliant on day 365. GDPR compliance is not a box ticking exercise.

Article 24(1) of GDPR spells this out, stating that organisations are required to ‘implement technical and organisational measures to ensure, and demonstrate, compliance with GDPR’ as well as making it clear that organisations have an obligation to ‘review and update the measures as necessary’.

A year ago when GDPR was first introduced, the ICO stated that it did not necessarily expect everyone to be compliant from day one, and would be sympathetic to organisations who could demonstrate that they were taking compliance seriously and could actively show that they were working towards compliance. However, a year down the line it’s likely that the ICO is going to take a firmer line. The ICO receives more than 500 calls a week alerting it to issues of data security and privacy and has issued several six figure fines over the last year, some to very high profile organisations.


Data privacy is becoming a hot topic at the highest level of government and this situation is only going to intensify. Organisations need to be able to demonstrate their commitment to privacy by adopting a data protection by design and default approach. By definition, this approach requires ongoing attention – as your data needs change so do your data protection requirements.

At the very minimum, organisations are required to conduct an annual review to ensure that they remain compliant. It might be tempting to see this as a pure cost, as a box ticking exercise that has to be got through. However, we firmly believe an annual review is an opportunity not only to determine current levels of compliance but also to identify a real and pragmatic roadmap of improvements that aren’t just about the obligation to comply but also identify commercial opportunities that could be delivered from that same roadmap.

Talk to us today to find out more about how VIQTOR DAVIS can help you with your GDPR annual review, or sign up for our webinar to learn more.


Need to find out more: Get In Touch