By Tom Rogers - Digital Account Director - 25 Sep 2019


Three things I didn’t really want to combine in the same sentence! Here’s something to lighten the mood before we get into the serious stuff:

Did you hear the one about the Englishman, Scotsman and Irishman?

I’ll let you know when I’ve got their consent.

Brexit guidance and impact

Thanks to an uncertain state regarding the precise details of the UK’s exit from the European Union (EU), recent legislation on data protection and the introduction of the GDPR in May 2018, there is currently much uncertainty for companies.

The UK Government has released guidance on data protection if there is a no deal Brexit, which relies on the EU making an adequacy decision to allow the transfer of personal data to the UK without restrictions. Naturally, there is still no timetable provided on when this decision will be made, but it cannot be discussed until the UK has officially left the EU.

View the UK Governments guidance on data protection if there’s a no deal Brexit here.

For information regarding the UK being awarded adequacy status, click here.

One certainty, however, is that the GDPR has been included within UK law, so you are required to meet the guidelines. But what impact has the GDPR had on business practices and data protection?

Brexit prominence in Annual Reports

A PwC report entitled “The reporting dilemma – balancing the needs of shareholders and other stakeholders” looked at how many companies in the FTSE 350 reference Brexit as a risk.


of annual reports discuss Brexit as part of the risks section


of annual reports discuss Brexit outside of the risks section


do not reference Brexit at all!

If you’re unsure on how to effectively report on Brexit's impact to your business, email to organise a benchmark of your report against industry best practice.

You can download the PwC report here.

GDPR - one year on

In a study by Eurobarometer in March 2019, 67% of EU citizens had heard about the GDPR, 36% indicated they are well aware of what it entails and 57% indicated they were aware of the public authority responsible for protecting data.

In February 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.


DPAs from 11 EEA countries reported imposing administrative fines under the GDPR


Total number of cases by DPAs from 31 EEA countries




GDPR complaints in the UK

Data submitted to DPAs across Europe show the UK receiving the most with roughly 51 complaints per 100,000 people.


Aside from the number of complaints, the UK also tops the list with the highest number of breach notifications, averaging 42 per day, which suggests that UK website users and consumers are more likely to report data breaches. If your business is based predominantly in the UK you should ensure your personal data security is fully compliant and your policies/procedures are in place and tested.

So far, a number of high profile companies have been fined under the GDPR including:


Google - Jan 2019


Facebook - Oct 2018


Equifax - Sep 2019

In the PwC report mentioned previously, it is stated that 79% of FTSE 350 companies identify cyber security as a principal risk in their annual reports, demonstrating that it is increasingly proving a material issue for many companies.

GDPR – What’s next?

After well over a year of the GDPR coming into force there is still a long way to go to fully enforce it and for the Information Commissioner’s Office (ICO) to start handing out fines. But the resounding direction for data protection is to ensure you have full transparency with your suppliers and providers on where personal data is stored and how it is used.

If you still don’t have any form of procedure in place to manage Subject Access Requests (SARs) then you should consider following one of the many GDPR checklists available online:

For more information on reporting risks in your annual report or website, please get in touch with