Call us on 03450 21 21 51

Don’t be complacent because GDPR has yet to show its teeth
The SRM Blog

Don’t be complacent because GDPR has yet to show its teeth

Julia Wailes-Fairbairn

Written by Julia Wailes-Fairbairn

18th December 2018

Share this article

GDPR is yet to show its teeth

When the General Data Protection Regulation (GDPR) was first discussed, there were headline figures about the size of fines. Where fines levied by the Information Commissioners Office (ICO) under the old Data Protection Act (DPA 1998) were capped at £500,000, under GDPR those fines could be up to 4 per cent of global annual turnover or 20 million Euros (whichever is greater). Yet, to date, GDPR has not really shown its teeth.

This is not, however, because its bark is worse than its bite. Far from it. It is because most of the breaches in the news until recently were reported before May 2018 and are therefore considered under the DPA. The real impact of GDPR will therefore not be seen until breaches which were reported after 25th May 2018 are brought before the ICO.

The Starwood Hotels and Resorts data breach is set to be the first significant case to be judged under GDPR. Because the breach was discovered around 10th September 2018 it falls within the scope of the new regulation. This is despite the fact that it is thought the breach could affect records going back as far as 2014 and the fact that Starwood was acquired in 2016 by the Marriott Hotel group who reported the breach and who are fully supporting the investigation.

For this and subsequent cases of its type, when considering the level of fine to be imposed, the ICO will scrutinise the case, taking into account whether customers’ personal data is currently being managed in line with GDPR requirements and the ongoing application of GDPR throughout the business. This highlights the very real need for ongoing compliance.

SRM’s GDPR team provides a business-focused service to organisations of all types and size. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, and not on simply selling products.

SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.

To find out more about what SRM’s GDPR team can do for you, contact Mark Nordstrom ( or 03450 21 21 51 or check out our website

Or read our blog:

The GDPR compliance fallacy

How PCI compliance puts you on course for GDPR

Or view the free live (recorded) webinar: The roles of manual and automated penetration testing


Back to top