As GDPR turns 5, does it have your best wishes? 

While some organizations have capitalized on GDPR to implement mature data compliance cultures, processes, and systems, others have struggled to move beyond readiness programs and achieve anything more than on-paper compliance. Regulation can be seen as a barrier to data use and innovation.

GDPR’s birthday might get a mixed reaction.

In this article, I’ll review the experience of organizations working to comply with GDPR and how compliance is changing, including the evolution of case law, the creation of new European data laws, and the ongoing impact of Brexit.

If you want to hear insights from first-hand GDPR compliance experience, jump to our webinar, where I talk to the best in the field.

GDPR changed the compliance landscape

25th May 2023 is the fifth anniversary of GDPR’s start date. The EU General Data Protection Regulation (GDPR) immediately and dramatically changed the privacy landscape across Europe and beyond.

GDPR modernized and harmonized a patchwork of earlier data protection laws across the EU and EEA, giving EU citizens more rights and control over their personal information. 

In public policy and regulatory circles, GDPR is seen as a “gold standard” for data privacy, and a catalyst in a global legislative revolution.

At the same time, GDPR mandates organizations to protect personal data more effectively, which has inevitably impacted operations. 

The latest research shows nearly 74% of organizations find it a challenge to keep up with the pace of regulatory change, and over 60% say privacy concerns limit their ability to use data effectively. This is felt where data projects are delayed or data is redacted to such a degree that its usefulness is compromised.

How was the experience?

Some companies made giant leaps to comply with GDPR. Some have matured their approach to regulatory oversight and embedded privacy as a core pillar of governance, risk, and compliance.

For many others, GDPR compliance has been a painful experience. Companies scrambled to get their house in order for the initial deadline, or even later. They launched internal policies and procedures, mobilized their IT and data offices to own data protection and privacy, shelled out for employee GDPR training, and put forward the public face of their data collection and data processing operations in new privacy notices.  

Even a reactive approach provided some comfort in meeting the basic requirements of the GDPR, but the steady stream of enforcement actions, fines, and brand-damaging media coverage offers no consolation. The most notable examples are: 

Organizations are increasingly moving from reactive compliance tactics to a strategy that plans for changes ahead of time and empowers business users to share and use data without compromising on compliance. They recognize the need to automate privacy-by-design approaches, including data minimization, within their current data operations and processes.

A mature approach requires business leaders to stay on top of regulatory guidance, case decisions, and proposed changes to law, then leverage technology to enable compliance.

What’s changing? 

Data compliance is a moving target. Even if the articles of GDPR don’t change, the stream of case law and related data laws never stands still. Regulatory guidance is constantly evolving at the same time as consumer expectations and perspectives on data ethics shift. 

Case law and judgments

As part of a proactive compliance strategy, organizations need to keep a close eye on the decisions, opinions and guidance issued by diverse EU and national bodies.

For example, the Schrems II decision, by the CJEU, Europe’s top court, in July 2020 immediately invalidated the EU-US Privacy Shield, a mechanism for the flow of data between organizations in the EEA and USA. Schrems II had ramifications for many organizations, including any using a single data store to collect both US and EU customer records. 

As a result of Schrems II, organizations are required to carry out Transfer Impact Assessments (TIAs), when personal data is exported to many third countries.  

New related EU regulation

A raft of laws concerning data and its use are progressing through the EU’s legislative procedure and into effect. The combination of these proposed and approved laws has the potential to increase the complexity of data compliance in an ever-growing ecosystem of regulatory requirements. 

The areas in legislators’ sights include:   

  • Creating a digital space where the fundamental rights of users are protected and businesses have a level playing field, in the EU’s Digital Services Act (DSA)
  • Making the digital economy fairer and more contestable, in the Digital Markets Act (DMA)
  • Regulating artificial intelligence, in the AI Act
  • Updating prohibitions on unsolicited electronic communications and streamlining cookie consent, in the ePrivacy Regulation (replacing the current EU ePrivacy Directive)
  • Establishing a framework to facilitate data sharing and reuse, in the Data Governance Act (DGA)
  • To complement the Data Governance Act, as part of the European Strategy for Data, a proposed new law aimed at access to and use of data, in the Data Act

Some of these laws — the AI Act, for example — have the potential to become international flag-bearers in their category in the same way as GDPR has been for data privacy. At the same time, laws that seek to ensure ethical practices and protect individual rights will inevitably have consequences for organizations looking to leverage their data with exciting new technologies like AI.

Will the UK take a different path?

The UK’s regulatory landscape is evolving rapidly following its withdrawal from the EU on 31 January 2020, so called “Brexit”. 

To ensure adequacy with the EU in line with the requirements of the EU-UK withdrawal agreement, the UK Government updated the Data Protection Act 1998 with the UK Data Protection Act 2018 (UK DPA 2018), incorporating GDPR in full in UK law by way of the “UK General Data Protection Regulation” (UK GDPR). 

Recently, a new “Data Protection and Digital Information (No. 2) Bill” (DP & DI Bill) was published, proposing to amend UK data privacy and protection law. The DP & DI Bill is designed to make it easier and simpler for businesses to understand how to comply with UK data privacy and protection laws, and ultimately foster innovation and economic growth in the UK. The end result, based on the current direction of the bill, would be a different model to that of the EU. 

One major concern that legal experts have raised is whether or not the proposed changes will go too far and result in the UK falling off the list of countries deemed “adequate” to receive personal data from the EU. 

Divergence may also be challenging for businesses operating across both the UK and the EU, especially when deciding which version of GDPR to apply to their UK operations. The current draft seeks to clarify this by stating that where businesses comply with the EU GDPR, they would not have to implement changes introduced by the DP & DI Bill.

Given the rather fluid negotiations, tracking developments in UK law will be crucial for organizations operating across the UK and beyond. 

Beyond Europe

The data compliance temperature is rising beyond the EU and UK. 

Regulations are emerging on every continent, often inspired or influenced by the GDPR. The most notable recent example is the California Consumer Privacy Act (CCPA) in the US, which is followed by state data privacy laws in Utah, Colorado, Connecticut, Iowa, and Virginia. 

Across the world, many more data privacy legislation programs are evolving, including legislation in some of the world’s most populous countries and centers of international business: China, India, Saudi Arabia, and the UAE. 

Organizations in Europe need to understand how these regulations will affect their data operations, just as overseas companies holding data on EU citizens are required to do for GDPR. 

What are the next steps?

There are two key challenges for organizations to address over the next five years.

  • Stay on top of changes like guidance and clarifications to the GDPR, emerging case law, proposed updates to existing legislation, and the emergence of similar laws and regulations beyond Europe
  • Embrace technology to support compliance and remove obstacles to data use, by understanding legal and regulatory requirements and automating data compliance steps

If organizations can rise to these two challenges, they’ll certainly be celebrating when GDPR reaches 10. 

Our “GDPR Turns 5” webinar 

Learn more about GDPR experiences from the best in the field. Watch our webinar on five years of GDPR featuring Emerald de Leeuw-Goggin, Global Head of Privacy at Logitech, Forbes Top 100 to Follow and TEDx speaker, and James Drury-Smith, Partner at DWF, and renowned privacy and cyber security leader.

Find it here