LEVICK | August 6th, 2018
Developments in the General Data Protection Regulation

Our friends in the UK at Cordery reached out to share their insights on the changes within the General Data Protection Regulation (GDPR). With confusion over what is going on in data protection and privacy, we wanted to share their thoughts with you. See below for updates on rules and regulations in this constantly changing sector.
GDPR Update
There has been lots of data protection developments since GDPR came in on the 25 May 2018 and I thought you might be interested in hearing about some of the things that we have been up to.
Volume of Complaints
There has been a large number of complaints since GDPR came in. We know that there are at least 3,500 from the research that we have done, but the exact number is likely to be higher since most of the information from DPAs does not include complaints about data subject rights and German regulators (traditionally very active) have not provided much information.
There has also been lots of activity on security breaches as well – for example the UK had 1,792 in June alone and Ireland had 547 data breach notifications in the first the month of GDPR.
GDPR FAQs
We have updated our GDPR FAQs to look at some of the lessons we have learnt since GDPR came in. You can look at the new version here.
Facebook Case
The European Court of Justice (ECJ) has had a busy few months with data protection litigation. In June they ruled that the administrator of a fan page could be jointly liable with Facebook for the activities on that page. This will have potentially significant implications for anyone who has a company page on Facebook or uses it to communicate with customers for example. Details of the case are here.
Data Protection Damages
One of the things we have talked about previously in our alerts is the fact that it is not just up to regulators to enforce GDPR. There is a real rise in civil actions and a number of hearings coming up. GDPR makes it easier for individuals to issue proceedings when their data protection rights have been compromised – for example in a data breach. A recent UK Court of Appeal case is helpful in giving a sign of the range of damages after a data breach, but also confirms that the right to bring proceedings is not limited to data subjects – in this case identifiable family members could also get compensation. There is more on this case here.
Jehovah Witnesses Case
We have also had a useful reminder from the ECJ that measures need to be taken to protect hard copy data. The case concerned the Jehovah Witnesses in Finland. They used maps which they had marked up to steer them in their door-to-door activities. The court decided that even in this hard copy format the information that they wrote down was covered by data protection legislation. This case has a number of other interesting aspects, including reminding us how easy it is to become a data controller (like the Facebook case above), showing the limits of the domestic purposes exemption and reminding us how tough it can be to deal with Subject Access Requests. You can read more about this case here.
Subject Access Requests (SARs)
We have seen a real rise in the volume of SARs since GDPR. There have also been quite a few cases on what is in scope for a SAR and this has also been before the UK Court of Appeal recently in a case involving a doctor and the General Medical Council. Our alert on that case is here. One of the takeaways is that SARs can be used in a litigation context – this is all the more worrying given the rise in data protection litigation which we have already mentioned.
GDPR Progress so Far
I took part in a webinar hosted by Verint looking at some of the GDPR cases so far, including a large data breach investigation and a Spanish case looking at disclosure on Apps. You can listen to that webinar here.
Cyber Security
It is important to remember that GDPR is not the only law that deals with cyber security. The Network and Information Systems regime (known as the NIS regime) is coming across in Europe and has important implications, particularly for some types of technology businesses and those engaged in healthcare, financial services, energy, transport and digital infrastructure. In some cases there is an obligation to register. There are more details of the UK’s implementation of the NIS regime here.
New UK Registration Regime
GDPR (theoretically at least) abolished the prior registration requirements with data protection regulators across Europe. However, just as GDPR came in the UK brought in a new registration regime which, in some respects, is similar to the pre-GDPR regime but in many cases with a higher fee to be paid. There are some basic details of the new regime here.
New UK Data Protection Act 2018 (DPA 2018)
Whilst GDPR brought in some uniformity across the EU, we are also seeing quite a lot of country specific legislation which is altering the data protection landscape. In the case of the UK the DPA 2018 has some specific criminal offences that companies could commit over and above their GDPR liability. Our alert on the DPA 2018 is here.
GDPR Navigator
There are more details on many of these topics in GDPR Navigator which provides up to date advice on data protection issues for a fixed fee. We also discuss issues like this on our monthly call. There is more information on GDPR Navigator here and if you are interested in taking out a subscription do let us know.
LEVICK | August 6th, 2018
Developments in the General Data Protection Regulation

Our friends in the UK at Cordery reached out to share their insights on the changes within the General Data Protection Regulation (GDPR). With confusion over what is going on in data protection and privacy, we wanted to share their thoughts with you. See below for updates on rules and regulations in this constantly changing sector.
GDPR Update
There has been lots of data protection developments since GDPR came in on the 25 May 2018 and I thought you might be interested in hearing about some of the things that we have been up to.
Volume of Complaints
There has been a large number of complaints since GDPR came in. We know that there are at least 3,500 from the research that we have done, but the exact number is likely to be higher since most of the information from DPAs does not include complaints about data subject rights and German regulators (traditionally very active) have not provided much information.
There has also been lots of activity on security breaches as well – for example the UK had 1,792 in June alone and Ireland had 547 data breach notifications in the first the month of GDPR.
GDPR FAQs
We have updated our GDPR FAQs to look at some of the lessons we have learnt since GDPR came in. You can look at the new version here.
Facebook Case
The European Court of Justice (ECJ) has had a busy few months with data protection litigation. In June they ruled that the administrator of a fan page could be jointly liable with Facebook for the activities on that page. This will have potentially significant implications for anyone who has a company page on Facebook or uses it to communicate with customers for example. Details of the case are here.
Data Protection Damages
One of the things we have talked about previously in our alerts is the fact that it is not just up to regulators to enforce GDPR. There is a real rise in civil actions and a number of hearings coming up. GDPR makes it easier for individuals to issue proceedings when their data protection rights have been compromised – for example in a data breach. A recent UK Court of Appeal case is helpful in giving a sign of the range of damages after a data breach, but also confirms that the right to bring proceedings is not limited to data subjects – in this case identifiable family members could also get compensation. There is more on this case here.
Jehovah Witnesses Case
We have also had a useful reminder from the ECJ that measures need to be taken to protect hard copy data. The case concerned the Jehovah Witnesses in Finland. They used maps which they had marked up to steer them in their door-to-door activities. The court decided that even in this hard copy format the information that they wrote down was covered by data protection legislation. This case has a number of other interesting aspects, including reminding us how easy it is to become a data controller (like the Facebook case above), showing the limits of the domestic purposes exemption and reminding us how tough it can be to deal with Subject Access Requests. You can read more about this case here.
Subject Access Requests (SARs)
We have seen a real rise in the volume of SARs since GDPR. There have also been quite a few cases on what is in scope for a SAR and this has also been before the UK Court of Appeal recently in a case involving a doctor and the General Medical Council. Our alert on that case is here. One of the takeaways is that SARs can be used in a litigation context – this is all the more worrying given the rise in data protection litigation which we have already mentioned.
GDPR Progress so Far
I took part in a webinar hosted by Verint looking at some of the GDPR cases so far, including a large data breach investigation and a Spanish case looking at disclosure on Apps. You can listen to that webinar here.
Cyber Security
It is important to remember that GDPR is not the only law that deals with cyber security. The Network and Information Systems regime (known as the NIS regime) is coming across in Europe and has important implications, particularly for some types of technology businesses and those engaged in healthcare, financial services, energy, transport and digital infrastructure. In some cases there is an obligation to register. There are more details of the UK’s implementation of the NIS regime here.
New UK Registration Regime
GDPR (theoretically at least) abolished the prior registration requirements with data protection regulators across Europe. However, just as GDPR came in the UK brought in a new registration regime which, in some respects, is similar to the pre-GDPR regime but in many cases with a higher fee to be paid. There are some basic details of the new regime here.
New UK Data Protection Act 2018 (DPA 2018)
Whilst GDPR brought in some uniformity across the EU, we are also seeing quite a lot of country specific legislation which is altering the data protection landscape. In the case of the UK the DPA 2018 has some specific criminal offences that companies could commit over and above their GDPR liability. Our alert on the DPA 2018 is here.
GDPR Navigator
There are more details on many of these topics in GDPR Navigator which provides up to date advice on data protection issues for a fixed fee. We also discuss issues like this on our monthly call. There is more information on GDPR Navigator here and if you are interested in taking out a subscription do let us know.
- Brand
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- Here We Come
- Corporate Revolt Over Campaign Donations Shakes Political World
- What Happens Next?
- CSR & Sustainability
- Public Perception & the Biden Transition
- WATCH: Reputation Management with PRSA
- Over the River and Through The Woods
- Why Non-Profits are so Vulnerable to Crisis Risk
- The Threat to Free Markets
- What Happens When Nonprofits Get Caught In The Klieg Lights?
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Communications
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Reflections on a Turbulent Year: 2020
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- Here We Come
- The Ministry of Common Sense
- Why Should I Apologize? Lawyers vs. Communicators
- What Happens Next?
- CSR & Sustainability
- A Conversation with Abbe Lowell
- A New Year’s Resolution
- Public Perception & the Biden Transition
- WATCH: Reputation Management with PRSA
- Company News
- Reflections on a Turbulent Year: 2020
- Here We Come
- Recent Awards & Recognition
- Won’t You Be My Neighbor?
- What’s a Director to Do?
- LEVICK Announces Partnership with BCG
- A New Look
- Albert Krieger, 1923-2020
- LEVICK Announces Partnership with Jipyong
- Speaking to In-House Counsel
- Childhood Lessons
- LEVICK Announces New Webinar Series with Turbine Labs
- Crisis
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Reflections on a Turbulent Year: 2020
- 3 Tech Lessons Businesses Must Learn From COVID-19
- Trump’s pardons undercut a decade of foreign lobbying law enforcement. What now?
- Fighting for the Rule of Law with Marshall Harris
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- What to expect as the clock approaches midnight
- How to Stop the Madness
- Corporate Revolt Over Campaign Donations Shakes Political World
- A Remembrance of Tommy Raskin
- No ‘justice’ in rep’s vote
- A Call for Orderly & Peaceful Transition of Power
- Finance
- Here We Come
- The Threat to Free Markets
- Advisory & Insurance Services
- WATCH: Revolutionizing Litigation Finance
- Litigation Finance: Revolutionizing Litigation
- Consumer-Focused Solutions for Financial Health
- Event: Consumer-Focused Solutions for Financial Health
- Sports: Power and Money in a New Age of Social Justice
- The Balancing Act: The Role of Whistleblowers in American Commerce and Government
- The Evolving and More Powerful FARA
- FCPA & Compliance in a Time of Uncertainty
- Shareholders vs. Stakeholders: Is the Paradigm Shifting?
- Guest Column
- Guest Blog: The Mainstream Media Gets an A for Intellectual Arrogance, an F for Journalism
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- Buckle up Directors: Cybersecurity Risk and Bankruptcy Risk Are Not Mutually Exclusive
- South Africa: The Slow Decline of the ANC
- Why CSR Fails and How to Fix It
- What to Expect Following the European Elections?
- Buhari Inaugurated. What Now for Nigeria?
- Marketing- It’s Up To You…
- Crisis Management lessons from the air-crash investigation model
- The Future of War
- Health
- Reflections on a Turbulent Year: 2020
- Food Issues & the Biden Administration
- Covid-19: The Pandemic that Never Should Have Happened
- Pharma’s Post-Pandemic Policy Outlook
- Keeping Hope Alive
- Real Herd Immunity
- The Fiction of College Sports Amateurism
- Mac Summit: Crisis Communications in a Post-Covid, Post-Election World
- Travel Industry Communications in the Age of Covid-19
- Track of Time
- Is C-19 Taking Women Lawyers’ Careers Back to the 1950s?
- Post-Pandemic PR Strategy
- In Memoriam
- Snider’s Super Foods: Locally World Famous
- Speak Truth With Love, Not Anger
- In Memoriam: Stephen Susman
- Letter to the Movement
- John Lewis’ Life Bridged the Best of America
- Albert Krieger, 1923-2020
- In Memoriam of Marcia Horowitz
- Jim Lehrer Passes Away
- Martin Luther King, Jr.
- Harold Burson Passes Away
- Interviews
- CommPRO: Ruth Bader Ginsberg’s Life & Legacy
- Richard Levick on “My Wakeup Call”
- Primerus Webinar: Into the Wind
- The Future of Baseball Post-Pandemic
- Webinar: The End of Brand Neutrality
- Thought Leadership & Organic Growth
- Man & Superman
- LEVICK Announces New Webinar Series with Turbine Labs
- Navigating Coronavirus Challenges in the Insurance Industry
- VIDEO: How to Anticipate & Avoid a Crisis
- What’s Next? with Julie Chase
- What’s Next?: California Electoral Behavior
- Law Firms
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- The General Counsel’s Dilemma
- A First Look at the Google Antitrust Suit
- The Latest Top Class Actions
- Trust on Trial: How Communicators Succeed in a World No Longer Trusted
- The Latest Settlements, Class actions, Investigations & More
- Litigation
- Fighting for the Rule of Law with Marshall Harris
- Why Should I Apologize? Lawyers vs. Communicators
- A Conversation with Abbe Lowell
- Leveraging Legal Expertise in Communications
- You Took a PPP Loan. Now Get Ready to Talk About It.
- Beyond Black Swan: Positioning the law firm for the new normal
- A Salute to Personal Courage and the Rule of Law
- Cyber Risk Institute Expands Its Profile
- When a client becomes a law firm’s PR nightmare
- The General Counsel’s Dilemma
- WATCH: Revolutionizing Litigation Finance
- Litigation Finance: Revolutionizing Litigation
- Our Work
- Recent Awards & Recognition
- The Cyber Bad Guys Are Getting Worse
- Crisis Communications & The Age of Cancel Culture
- Standing on the Shoulders of Giants
- Video: Conversations with American Legends
- Staying Ahead of the Crisis
- A New Era of Insurance Marketing
- Infographic: Judgment Free Zone
- Infographic: Barriers to Entry
- Infographic: History Meter
- Assistance for Law Firms Engaged in Pro Bono
- Webinar: The End of Brand Neutrality
- Public Affairs
- “Crooked Dominion Machines,” Impeachments, Insurrections & The First 100 Days
- Trump’s pardons undercut a decade of foreign lobbying law enforcement. What now?
- Fighting for the Rule of Law with Marshall Harris
- The Fifth Estate: A Business Guide for Surviving “The Troubles”
- What to expect as the clock approaches midnight
- How to Stop the Madness
- Corporate Revolt Over Campaign Donations Shakes Political World
- No ‘justice’ in rep’s vote
- A Call for Orderly & Peaceful Transition of Power
- Recovering from the Greatest Sacrifice
- Food Issues & the Biden Administration
- The Cost of Government Regulation and the Threat to Free Enterprise
- Risk
- Ingredients of Decency
- ESG Performance and Credit Markets
- The Coronavirus Saga is Just Beginning
- No. 1 Risk of the Decade
- The Risk Evolution of Corporate Risk
- Extend Risk Management Reach
- Collective Action
- Risk Identifying Software
- The New Risk of Doing Nothing
- Political Unrest In Hong Kong
- High-Profile Kidnaps in African National Parks
- Cyber Resilience
- Social
- The Ministry of Common Sense
- How to Stop the Madness
- A Remembrance of Tommy Raskin
- No ‘justice’ in rep’s vote
- A Call for Orderly & Peaceful Transition of Power
- Recovering from the Greatest Sacrifice
- CSR & Sustainability
- A New Year’s Resolution
- Dropping the Mic
- Won’t You Be My Neighbor?
- Crisis, Covid, DEI & the Election
- MLK’s Memphis Address
- Technology
- 3 Tech Lessons Businesses Must Learn From COVID-19
- Constella Intelligence Announces Hunter for Improved Investigation Capability
- Cyber Risk Institute Expands Its Profile
- Digital Politics: The Future of Voting Technology
- Ethics in Electronics
- The Cyber Bad Guys Are Getting Worse
- A First Look at the Google Antitrust Suit
- The Pause
- Cybersecurity Incidents of the Summer
- The Changing Digital Economy and Cyber Risks
- The Future of U.S. Manufacturing
- Tech CEO Summer Superbowl hearing
- This Week
- A Remembrance of Tommy Raskin
- A New Year’s Resolution
- Over the River and Through The Woods
- Dropping the Mic
- Won’t You Be My Neighbor?
- The Cyber Bad Guys Are Getting Worse
- What We Hear
- Track of Time
- Video: Conversations with American Legends
- Conversations with American Legends
- A New Era of Insurance Marketing
- American Legend