Has everyone forgotten or stopped caring about the GDPR?

Recently I wrote a LinkedIn post that had this heading as the opening line. And it got a lot of interest, shares and comment. Clearly what I said resounded with others. Here is what I wrote:

“Every week I encounter websites where I have to actively opt out of marketing emails or find myself automatically opted in by default. Alongside this, there seems to be a constant stream of news about data breaches, highlighting a broader issue of data security.

When designing and developing websites, privacy by design is a core principle we follow. This involves proactively considering GDPR compliance in our projects, from newsletter sign-ups and contact forms to cookie management.

GDPR, along with its UK-specific version post-Brexit, has been in force for years, yet, many organisations still seem indifferent. This can cause frustration and confusion for users, as well as fines for non-compliance.

Has GDPR non-compliance become so widespread it’s now just background noise? Would users even notice or care if yet another website falls short? And realistically, does the ICO have sufficient resources to investigate every breach or complaint?”

Why did this resonate with people?

The GDPR or General Data Protection Regulation came into force in 2018. This was before Brexit, but that doesn’t mean it no longer applies. The UK GDPR was established to ensure that personal data would still be protected after the transition period to leave the EU came to an end in 2020.

While the GDPR has effectively been in place since 2018, there still seem to be plenty of issues around personal data:

1. Data breaches

For anyone in a data-protection role, it’s hard not to feel frustrated by the legislation, monitoring and enforcement – or by companies that simply ignore the rules. Nearly every week brings news of another breach. I just searched “data breach” on Google and the top four stories all involved different companies – the oldest was nine hours old, the most recent just 37 minutes ago. It’s enough to desensitise anyone.

With so many breaches, it was only a matter of time before people got used to them. When the GDPR came into force, headlines warned of major breaches and speculated about hefty fines for those who flouted the rules. Yet follow-up stories about actual consequences were few and far between. That’s not to say there’ve been no repercussions, Meta’s €1.2 billion fine for GDPR infringements is a notable example, but the sheer number of breaches hasn’t been met with an equal number of punishments. Worse still, it hasn’t reduced non-compliance as we’d hoped.

You would expect fines and reputational damage to be enough to push companies to improve their defences. You’d expect them to implement measures that mitigate the risk of a breach. I keep using the word “expect” because the evidence suggests otherwise: major breaches keep happening week after week.

Part of the problem may be that we, as individuals and consumers, aren’t demanding more accountability. With breach after breach, have we become blasé about the whole thing? Perhaps the routine nature of these incidents, and the public’s limited understanding of their impact or any visible consequences, explains why we don’t push back against organisations, and why we keep trusting them with our data (and our money).

2. There is new legislation – but also concern this doesn’t do enough

As of last month, new legislation on data protection has arrived. The Data (Use and Access) Act 2025 (the DUAA) was officially passed, and the ICO explains that it “changes data protection laws in order to promote innovation and economic growth and make things easier for organisations, whilst still protecting people and their rights.”
The law will be phased in over the next 12 months, with different provisions coming into force at various stages.

What does the new legislation actually do? For most individuals and organisations, the DUAA tweaks are fairly specific—so your day-to-day probably won’t look too different. If you’re keen on the details, Arnold & Porter has a handy summary, and gov.uk offers a more technical overview.

One change you should note is the rise in maximum fines under the Privacy and Electronic Communications Regulations (PECR). PECR covers electronic communications such as direct marketing and cookies. Under the new law, fines jump from £500,000 to £17.5 million, or 4% of total global revenue, bringing PECR in line with the UK GDPR. Since the ICO issues more fines under PECR than under the GDPR or Data Protection Act, this could have a real impact.

Arnold & Porter advise:

“In light of the higher fines for PECR breaches, businesses should pay close attention to their digital marketing activities and monitor the adequacy decision later this year when it falls for renewal.” 

Despite the DUAA, many in data protection feel it doesn’t go far enough. The sheer volume of breaches is overwhelming – one person commented, “The breaches are so voluminous that the ICO cannot keep up.” If you have limited time and resources, and breaches happen constantly alongside widespread non-compliance with the UK GDPR, it’s nearly impossible to address every issue.

3. Opt out is still being pushed over explicit consent

For many of us, this topic strikes a chord, especially when we’re forced to untick boxes just to avoid signing up for yet another newsletter. Under the UK GDPR, consent must be explicit: you must opt in if you want something. You shouldn’t have to opt out if you don’t want it. And you shouldn’t have to opt in to not receive something.

Every time I buy something online, I seem to end up unticking a marketing checkbox. Last week I ordered a new pair of shoes, and on two separate occasions, once at the start of checkout, again just before I clicked “confirm”, I had to untick a box to avoid marketing emails. That’s a clear breach of UK GDPR.

What puzzles me is the marketing logic behind it. If I’m signed up to newsletters I never asked for, I won’t read them, or buy from them. Is the aim really to catch me off guard? Organisations would be better off working within the UK GDPR and PECR, and finding ways to invite genuine sign-ups. That approach is far more likely to boost conversions. For instance, I’m much more inclined to subscribe when given choices: less-frequent newsletters, or granular options like “product updates” rather than a generic “weekly news.” In those cases, I usually will tick one of the boxes.

I’ll admit I’m part of the problem. I don’t report every slip-up I spot. With those shoes, did I email the retailer? No, I vented on LinkedIn instead. In GDPR’s first year I did flag most sites that used opt-out, but it quickly became a chore. I’d tell myself “I’ll deal with it later,” and then…forget.

What’s the solution?

First and foremost, we need to bolster the resources dedicated to monitoring, engaging with and enforcing data-protection rules. That means not only upping the number of investigations and reminders sent to organisations, but also following through with fines when they fail to act. At the same time, individuals should be made aware of, and empowered to use, the mechanisms for reporting breaches or non-compliance. Clear, easily accessible guidance on how to raise concerns with the ICO or other relevant bodies would go a long way to making everyone part of the solution.
Ultimately, though, the real change has to come from organisations themselves. No matter how big or small, businesses must recognise that flouting data-protection legislation puts their reputation, and even their very survival, at risk.

Rather than hiding behind the “everyone else does it” excuse, companies should see privacy, consent and security as opportunities to stand out, to demonstrate to customers that they are serious about respecting personal data.

For smaller teams, that might mean automating basic compliance checks, adopting a consent-management platform and assigning clear internal ownership of data-protection duties. These steps reduce the manual burden and help ensure that consent mechanisms and privacy notices remain up to date. Larger organisations, meanwhile, should invest in fully dedicated data-protection officers and build a schedule of regular privacy audits, making sure that compliance considerations are woven into every marketing campaign and product launch.

In the end, it will be financial penalties that drive the strongest incentives for change. High-profile fines, across the board, from multi-nationals down to SMEs, will send an unmistakable message: no one can sidestep these rules, and every breach carries real consequences.