GDPR flag Compliancy

Life after GDPR: how has it affected businesses?


After a lot of discussion (and some last-minute panic), General Data Protection Regulation (GDPR) finally came into effect on May 25th, 2018. Along with clogging up our inboxes, GDPR brought some fundamental changes for any business processing personal data. Now we’ve cleared the influx of emails here at Aurora B2B HQ, we’ve picked three of the most important ways we think GDPR has affected UK businesses…


1. Consent


Before May 25th, companies could handle personal data if a person didn’t ‘opt-out’. More often than not, the process of opting out was a complex business and not always obvious. The result? Personal data was often being processed without the end user being aware.


Post GDPR, businesses need to have specific consent to process personal data. Plus, they can only collect data for the legitimate purpose it was collected for. And that’s not all. Business must also keep a record of the date the consent was given, and it should be stored securely and be easily available in case the Information Commissioner’s Office (ICO) request it.


Another big change is that people now have the right to withdraw their consent at any time. That means businesses can’t legally process any data unless they have the user’s consent.


2. Increased territorial scope


Before GDPR was introduced, the conditions around territorial applicability of the directive were woolly, causing many high-profile court cases. Not anymore. One of the biggest changes is the expansion of the territorial and material scope of EU data protection law.


To put that into plain English, this means the new GDPR regulations apply to any business processing the personal data of anyone living in the EU, regardless of the company’s location.


The law applies to both controllers and processors established in the EU and those outside the EU offering services or monitoring EU data subjects.


3. Fines for non-compliance


GDPR has replaced the Data Protection Act 1998. The highest fine ever imposed under the old law was £400,000. A substantial amount, we’re sure you’ll agree. But GDPR is upping the ceiling of fines under two tiers – both much bigger than anything the UK has seen before.


The fine will depend on the severity of the data breach, and the importance of the data being put at risk and will fit into one of two tiers:


  • Tier 1 is reserved for the most damaging breaches and carries a fine of up to €20m (£17.25m), or 4% of the company’s total global annual turnover.


  • Tier 2 is the lower of the two and businesses face a fine of up to €10m (£8.6m), or 2% of their annual turnover.


That’s a wrap


Now we’re more than two weeks into GDPR, over half of UK businesses have made sure they’re GDPR compliant. The rest plan on being fully compliant during the next 3 to 12 months.


In a survey of over 150 brand and agency-side marketers, Ensighten has found that 45% of UK businesses are setting money aside – just in case they face any fines in the future.


Of course, future-proofing your business so it’s in line with GDPR comes with other advantages, including building better trust, engagement and experiences with your customer base.


Miles Thorp from Banana Moon says: “The number of people we’ve been emailing has reduced massively but the engagement is better”.


Need help with GDPR compliant data? If you’ve got any questions we’d love to have a chat and help. Please give us a call on 0207 754 5903, drop us an email at, or find us on our social media pages.


Comments are closed.