fb-pixel
Skip to content

GDPR turns five: Has it positively changed the landscape of Data Protection?

Patricia Cullen

May 25th marks the fifth anniversary of GDPR. In the UK, we have witnessed huge change in the past five years – including four Prime Ministers, the Covid-19 pandemic and a cost-of-living Crisis – but when it comes to protecting personal data, there is still more to be done.

71% of countries have data protection regulations in place and a further 9% have legislation in development, according to the United Nations Conference on Trade and Development. Furthermore, data privacy is finally getting prioritised and GDPR has brought about a significant change in how organisations collect, process, and protect personal data.

As the world becomes increasingly interconnected, organisations must protect their data by ensuring an integrated governance, risk and compliance approach. Happy birthday, GDPR – businesses have upped their privacy game.

Fine & Dandy

Companies must take proactive measures to ensure compliance or face the consequences of non-compliance.  Since 25th May 2018, over 1,600 fines have been issued to companies, organisations and private individuals for breaching regulations. Fines total at a sum of £2.5bn (€2.78bn), not including the latest sanction.

The latest GDPR fine imposed on META – over £1bn (€1.2 bn) – is a strong reminder that data safety and compliance are not merely buzzwords but essential requirements for organisations in 2023. At an already reflective time, the news brings renewed focus for big tech to get data privacy right.

The size of the possible fines that GDPR could introduce produced countless column inches, assisting the European Commission’s objective of ensuring data protection is firmly a corporate board-level issue.

But are fines like this inadequate, in the face of an avalanche of AI-related data collection and usage? As AI’s foundational models blur the distinction between personal and non-personal data, causing scandals such as the leaking of confidential business information, will existing privacy legislation like GDPR be rendered useless?

Ivana Bartoletti, a leading global expert on privacy, ethics, and governance, and global chief privacy officer at Wipro, thinks not, but swift action is necessary:

“Fairness, accuracy and transparency have given protection to consumers, citizens and employees. When GDPR first came out, some predicted it was going to be extremely tough on smaller companies, but a lot of that was overblown.

“Regulators like the ICO in the UK have been doing a great job at supporting smaller organisations, and the very act of getting UK businesses to think about what data should be held, processed and stored is a big step forwards. Ultimately, it is not the size of the company but the volume of personal data that matters here,” she says.

Businesses must take proactive steps to protect user privacy, embrace transparency, and build a culture of compliance to navigate the evolving regulatory landscape successfully. By doing so, they not only safeguard their reputation and financial well-being but also demonstrate a commitment to ethical data practices that prioritise the rights and interests of their customers.

Happy anniversary

One of the main reasons for the overhaul of the EU data protection framework in 2018 was to strengthen the existing framework.

“Before the GDPR became applicable, it was largely up to the EU Member States to organise the enforcement of the national data protection rules adopted to implement the EU Data Protection Directive. This resulted in significant differences in data protection enforcement throughout the EU,” says David Dumont, Partner at Hunton Andrews Kurth.

He continues, “Although GDPR introduced a harmonised set of enforcement powers, there are still differences in how national data protection authorities have used these powers over the past 5 years. Between 2018 and now, Ireland, Luxembourg, and France have issued some of the highest fines, while Spain, Italy, and Germany have seen the greatest number of fines.”

GDPR has been branded as too restrictive; preventing growth and prosperity. Asha Palmer, SVP Compliance Solutions at Skillsoft recognises that while GDPR hasn’t achieved all it set out to do in the last five years, it has certainly pushed the topic of data privacy to the forefront.

“It has also persevered through a period of massive innovation, adapting to suit the needs of evolving technologies such as AI. In fact, because of GDPR, regulators have collected more than €80m (£69m) in AI-related fines alone. Its strict regulations have many companies now considering best practices for making AI GDPR compliant,” she says.

Jakub Lewandowski, global data governance officer at Commvault, reflects on what GDPR has realised in its short 5 years.

“Whilst only five years old, GDPR is already the grandad of data regulation in the modern age: established and dependable, although not yet outdated. Despite all the technological developments within the last five years – facial recognition, virtual reality, and AI, to name just a few – GDPR has stood the test of time.”

He remains hopeful that GDPR can adjust to new requirements.

“Yet, in the present day, the sudden rise of Generative AI and Large Language Models (LLMs), like ChatGPT, has led to renewed conversations about data privacy. But rest assured that, as a framework of data protection impact assessments that considers the rights of individuals, GDPR’s mechanisms can also be applied to the use of LLMs, at least for the time being.”

The Digital Age

GDPR is a game-changing regulation, producing numerous new privacy and data regulation laws. Pre-2018, businesses could buy, sell, share, and store customer data with ease, now they are subject to scrupulous regulatory compliance requirements.

As reflected in the data, the move to digitalisation has highlighted a host of privacy risks, according to Foyaz Uddin, Director of Head of Privacy and Data Protection Services at Mazars.

“For example, with the growing use of cloud-based services, healthcare and pharma businesses have been migrating their data to cloud-based solutions, requiring the implementation of strict security measures to ensure data is protected. Some of these providers sit outside the UK and EU, some in countries deemed inadequate or unsafe for data transfers.

“This poses many challenges and businesses are still grappling with current requirements, whilst anticipating new ones due to technological advancements. The Internet of Things (IoT Tech) provides a further issue and has led to increased concerns around data privacy and protection.

“Healthcare providers have been updating their privacy notices and policies and implementing strong encryption measures to protect patient data, but with the constant shifts in both technology and regulation, firms cannot afford to be complacent about compliance,” he adds.

According to Helena Nimmo, CIO at Endava, instead of undertaking a business overhaul, organisations should take a more iterative approach, ‘digital acceleration’. Digital acceleration allows for more agile delivery that doesn’t undermine longer-term strategic thinking or changes to regulatory frameworks, like what we’re seeing now.

“Applied to GDPR, digital acceleration allows leaders to safeguard their organisations while allowing them to innovate with more flexibility – a key challenge when looking at mitigating risk and ensuring compliance.

“As people become more aware of their data than ever, businesses have a responsibility to their customers, employees and other stakeholders to make decisions with privacy front of mind. Failure to prioritise is not only a compliance and financial risk, but a significant reputational one too,” she adds.

Palmer advises companies to stay up to date with the implications of new technology. Despite common misconceptions, AI is regulated through GDPR – organisations are obligated to provide affected individuals with information about the associated logic of any automated decisions.

“As generative AI tools such as ChatGPT take the world by storm, organisations need to develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications,” she advises.

The technology industry must work closely with regulators to redress the current imbalance between the rate of innovation and ability to regulate technology, but not stifle how it creatively evolves, according to Harry Keen, Co-Founder and CEO at Hazy.

“Five weeks feels like five years now, and only through continued collaboration and consistent conversation between businesses, regulators, and governments can we strive for a future where customer data is safeguarded effectively in an increasingly digital world.” 

Technology Gets Tested

No company is safe from fines and major tech firms have been penalised. Alongside the most recent mammoth Meta fine, other tech giants have also felt the GDPR wrath.

“Amazon, Facebook/Meta, Google, and subsidiaries of these major companies have all been hit with hefty fines into the hundreds of millions of pounds because of GDPR breaches – before the latest billion Euro fine handed to Meta.

“Many assume technology giants have the expertise and resource to mitigate breaches, but they have been on the same learning curve as everyone else, as technology has radically outpaced regulation,” Keen warns.

Now, seven out of the ten highest fines for GDPR breaches are attributed to Mark Zuckerberg’s company. Additionally, Meta has now dethroned Amazon vis a vis the amount of money a company had to pay in the history of GDPR.

Healthcare Gets Heated

The healthcare sector is next up. It has received 163 fines totalling just under €16m (£14m), from a total of 25 DPAs in the last 5 years, according to the GDPR Enforcement Tracker. In the last year, approximately 60 fines were imposed for data protection violations in the wider healthcare sector, which is an increase of €3m (£2.6m) compared to the previous year.

“The most common basis for the issue of the fines was the citation of a lack of sufficient technical and organisational measures to protect the security of data processing operations and for processing special categories of data, totalling 55 fines,” according to Uddin.

Jamie Barnard, CEO of Compliant, acknowledges the GDPR fine levied against Meta reflects the growing concerns over the protection of user privacy and personal data, especially five years on from GDPR.

“As data breaches, unauthorised sharing of information, and privacy infringements continue to make headlines, consumers are demanding stronger safeguards for their personal information. This fine acts as a significant wake-up call for companies to re-evaluate their data handling processes and prioritise user privacy.

“Meta was fined for unlawfully transferring personal data from the EU to the US, which means a lot of companies will be urgently reviewing their own reliance on SCCs (standard contractual clauses) to justify similar transfer – this is not just about Meta – this is serious news for anyone relying on SCC’s,” he says.

The EU is Trailblazing

According to Barnard, the EU has established itself as a bellwether for data privacy regulations, setting high standards that other regions, including the United States, are likely to follow.

“The cumulative GDPR fines in the last 2 years are 10,000x greater than the first 3, illustrating the increasing regulatory scrutiny and the severity of consequences for non-compliance. It is crucial for organisations, regardless of their size or industry, to proactively adapt to these regulations to avoid significant financial and reputational damage,” he warns.

Rebecca Harper, Head of Cybersecurity Analysis at ISMS.online, also recognises the EU’s contribution.

“Although GDPR is an EU regulation, its extraterritorial reach has meant that many organisations worldwide had to comply with its provisions if they handled EU citizens’ data. This has sparked a global conversation about privacy and data protection, leading to increased awareness and improved data practices beyond the EU.

“GDPR has also harmonised data protection laws across EU member states, replacing the previous patchwork of national regulations. This simplification has been hugely beneficial for privacy professionals and businesses, as it provides a unified framework and consistent standards for compliance. The benefits of such an approach are many; harmonising more standards in this way would positively impact businesses, enforcement and understanding”, she says.

Be Prepared, Avoid Fines

“It is essential that companies understand what is expected of them in terms of compliance and have a privacy-by-design approach embedded in their structure. They need to continually assess and monitor the potential risks of continually evolving technology. Not being compliant could leave businesses open to huge regulatory and reputational risks,” says Uddin.

Gary Lynam, Director of Customer Success, EMEA at Protecht advises that organisations must step up their game in line with GDPR enforcement ramp up and strive for an online centrally managed repository to manage all regulatory obligations, and seamlessly link privacy data with risks, controls, incidents and breaches.

“Offline manual compliance methods have become an untenable and unsustainable means to manage GDPR in the long term. For example, if an organisation is onboarding a new vendor or third-party supplier or going through any sort of change, such as exiting or creating a new product, it will require a full Data Protection Impact Assessment.

“For this dataflow, maps will be scrutinised by the Privacy Information Officer or the Data Protection Officer to ensure GDPR accountability and data protection is integrated across every aspect of the organisation’s processing activities and enterprise management system,” he adds.

Camilla Winlo, Head of Data Privacy at Gemserv reflects that there are some areas where it would have been nice to see more impact.

“Five years on, codes of conduct and certification schemes remain elusive. There are unquestionably some – sometimes very obvious – tick-box responses to requirements and areas where it seems organisations are finding it difficult to get the technical support they need,” she says.

Some data protection professionals have been disappointed by the low number of fines issued for data protection failures and the lack of clarity around how much of the fines levied are actually collected.

“However, the efforts organisations are making to comply show that the law is having an effect. There now seems to be a general awareness that an appropriate amount of resource within projects needs to be allocated to data protection and cyber security – although, of course, professionals will always wish there was more,” concludes Winlo.

Laying Down the Law

Anxiety was high in the run up to GDPR coming in in 2018.  Companies were worried about fines, but generally, dealings with the ICO or regulatory intervention remain remote. Will Richmond-Coggan, a Partner in the data protection team at national law firm Freeths, outlines some positives, apart from the privacy, that businesses and individuals gain from its implementation.

“What has changed is the growing awareness among the public of their rights in respect of data. This can yield positives – companies are finding that marketing their products on the basis of privacy considerations is a valuable market differentiator which can lead to increased sales, for example.

“People are also getting better at exercising their rights to access and correct information that may be held about them. But there remains a lot of misunderstanding about what the law requires on many sides, resulting in frequently needless litigation around everything from the placement of cookies by a website, through to claims for compensation where a company and its employees or customers have all been victims of a data breach,” he says.

Some things have remained the same.

“The law continues to struggle to keep pace with the technology it is intended to regulate. GDPR was intended to overcome this struggle by being technology agnostic (in other words, that the principles it contains would be equally applicable to future technologies that hadn’t yet emerged when it was drafted).

“We have already seen a couple of tests for this with the evolutions in cloud computing and Very Large Online Platforms, but we are currently in the midst of the biggest test of GDPR’s resilience, as regulators look to understand how it can be brought to bear on the risks and intensive processing activities inherent in the newest generations of AI technologies,” he adds.

It may attract criticism but GDPR strikes a reasonable balance between protecting individuals’ rights and allowing businesses, public authorities and charities to use data to achieve their aims. James Castro-Edwards, data privacy counsel at law firm Arnold & Porter in London, says, “The application of GDPR is continually evolving, thanks to a wealth of case law and guidance generated by the courts, data protection authorities and the European Data Protection Board.

“It will always be a work in progress to some extent, however, on balance, GDPR works.”

Criticism of the Legislation

GDPR certainly improves data protection rights, but while GDPR enforcement is still maturing, has it made the impact it promised 5 years ago?

Jonathan Newman, CEO at Motive thinks that while GDPR established much needed data protections, put greater responsibility on data controllers, gave consumers greater rights and control and has been used as a foundation for similar protections introduced across the world, it also comes up short.

“Far too many businesses saw the introduction of GDPR as a tick-box activity. Consequently, once business leaders ensured regulations were adhered to the subject was not thought of again. Whereas for consumers, its introduction ignited a wider awareness of their data and data privacy more generally. Rather than this putting an end to the issue, it was only the beginning for increasingly data-conscious consumers”, he says.

Newman adds that GDPR is seen as red tape rather than a necessary step to protect personal privacy, and with the consequences of data sharing with third parties still being debated in Parliament, it’s clear we have a long way to go.

Further criticisms include that rather than consumers, its the lawyers who truly benefit from GDPR implementation, as an increasing number of law firms now cite GDPR expertise as one of their services. Even businesses with legal teams incur significant costs because they don’t have the subject expertise on data privacy, let alone GDPR.

Additionally, concerns over cumbersome, overly restrictive data protection regulations suffocating emerging new technologies such as AI and machine learning algorithms by over-regulating their deployment, prevail.

Scott McKinnon, Field CISO, EMEA, VMware says that GDPR has definitely raised awareness around the importance of data privacy in our increasingly digital world.

“The legislation has helped to redress the balance between the owner and processor of personally identifiable information. We’ve come a long way, previously users were required to sacrifice a portion of their privacy in exchange for “free” services in ways that were neither transparent nor understood. GDPR changed this by introducing new obligations for organisations regarding the information they collect, process and store,” he says.

While acknowledging the progress GDPR has made, McKinnon recognises that businesses need to address their shortcomings to increase consumer trust.

“While GDPR has made some significant strides in protecting user data privacy, the degree and extent of fines still being issued for data breaches is a clear sign that businesses continue to have room for improvement. To further enhance digital trust, businesses should be seeing better promotion of controller and processor obligations, as well as improved enforcement of regulation and more disincentives for transgressions.

He advises that something needs to change regarding accepting ‘cookies’ compulsorily to ensure privacy.

“While pop-ups requesting users ‘accept cookies’ aim to provide more transparency on user data privacy, like most, I am very tired of accepting cookies on websites. As a result, many will opt for denial of access to cookies which may impact a user’s experience on the site, but also their security. Some cookies are essential for website security, session management and fraud protection. There needs to be a better balance between having clear cookie notices and transparency on privacy policies when a user visits a site”, he says.

What Next?

Since Brexit, the UK continues to follow GDPR. However, the Government has the chance to adjust legislation, helping businesses to achieve their goals.

The UK Government understands the importance of protecting privacy rights to maintain the free flow of personal data across the EU. Still, it will also consider that data protection standards vary globally, and as a result, plans to introduce a Data Protection Reform Bill will be eagerly anticipated by organisations, legal and compliance bodies alike.

“According to the UK Government, the new approach to data privacy under the proposed Data Protection Bill will be easier to understand and comply with, and more ‘pro-innovation’ than GDPR. It remains to be seen what this will mean in practice in terms of enforcement,” offers Sarah Pearce, Partner at Hunton Andrews Kurth.

Things will get increasingly complex as the UK government plan to replace GDPR with its own British Data Protection Bill. This will lead to a new wave of regulations and policies businesses must adhere to.

Alev Viggio, Director of Compliance at Drata points out that this will only increase workload.

“The challenge here is that many businesses will still have to adhere to EU GDPR and this new system pending their customer base – this can create confusion and complexities in any compliance programme, especially when considering the consequences of fines and violations if they fall out of compliance.

“Managing this manually facilitates the chances of human error, so adopting a continuous compliance approach via automation can vastly simplify the process for following data protection rules and understanding the overlap between various regulations to avoid redundancies,” she says.

Harper notes how, once the Bill is addressed, UK companies must adjust.

“With the UK currently reviewing the Data Protection and Digital Information (No. 2) Bill, which would be a significant move away from GDPR, it will be interesting to see how the lack of harmonisation with the EU will impact businesses and the level of complexity, such significantly different standards will have on companies operationally, financially, and competitively within the broader EU markets,” she says.

While opinions around the new bill vary, business leaders need to see amendments as a positive move in allowing the UK to become a frontrunner for innovation.

“This is due to the changes in the barriers to entry for data use and data manipulation lowering, giving businesses the opportunity to engage with their data more freely and use it to inform growth,” says Damien Brophy, senior vice president EMEA at ThoughtSpot.

We’re on the cusp of a new era of technology, but leading experts argue that GDPR won’t be rendered useless by AI-related data collection and usage. Businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony, according to Nimmo.

There is always room for improvement and Erfan Shadabi, a cybersecurity expert at comforte AG, advises on some changes to ensure that GDPR remains resilient in the face of future challenges.

“GDPR could benefit from clearer guidelines on some provisions, ensuring harmonised interpretation across jurisdictions. Also, the GDPR framework could benefit from specific provisions that cater to evolving technologies like artificial intelligence and blockchain.

“For instance, when it comes to AI, GDPR could benefit from provisions that outline clear guidelines on data protection and privacy considerations in AI systems.”

The privacy landscape is in a state of flux, and it remains to be seen whether GDPR will be able to keep up. New technologies, like facial recognition and AI, will raise new privacy concerns. Businesses must stay up-to-date on the latest privacy developments and adapt their practices accordingly.

You may also like...

A man doing a presentation

The three fates of workers in the age of AI

In this guest article, Hannah Seal, partner at Index Ventures, explores the impact of AI on the workforce. “Love and work are the cornerstones of our humanness,” Sigmund Freud once wrote. So, what happens to our humanity in an era of AI, which – according to the headlines – threatens to replace millions of jobs...
A sign showing the go:tech awards logo

Go:Tech Awards 2024 shortlist revealed

Business Leader has revealed the shortlist for this year’s Go:Tech Awards. The finalists were decided through a rigorous selection process by the awards’ judging panel, which this year included HSBC’s head of technology sector Roland Emmans; Dr Sofie McPherson, patent director at the law firm HGF; Yiannis Maos, founder and CEO of Birmingham Tech; and...

Quantum sensors: A booming market

For many years, quantum sensing was largely a scientific curiosity that few people could grasp. Now, it is primed to become a hotbed of commercialised innovation