GDPR 5 year anniversary: Reflecting on the past, envisioning the future

Five years ago, the European Union introduced the General Data Protection Regulation (GDPR) to protect individuals’ data privacy and increase transparency in how companies collect and use personal information. So today, 25th March 2023, marks the GDPR 5 year anniversary!

The introduction of GDPR changed the internet as we knew it. Arguably it’s become the benchmark for data privacy standards, with new laws around the world coming into force like CCPA and VCDPA based on the core principles of GDPR.

Additionally, the implementation of consent management tools like cookie banners and preference widgets brought data privacy to the forefront of public attention. Though a recent survey by IAPP found nearly 68% of consumers around the world are still very concerned about their privacy online.

This begs the question, are the regulations doing enough to enforce compliance thus reassure consumers? Or are businesses simply not taking them seriously enough?

So on the GDPR’s five year anniversary, we’re looking at some of the biggest challenges GDPR has faced and what comes next…

• Lack of accountability (particularly from global tech giants)
• Complexity and compliance burden
• Poor implementation
• Is GDPR ready for the future?

Lack of accountability (particularly from global tech giants)

Organizations in breach of the GDPR can be fined up to 4% of annual turnover, or up to €20 million, whichever is largest. Enforcement for such complex legislation was always going to take time. However there has been frustration at just how long it takes to see a complaint through to a verdict. Whilst GDPR fines have ramped up by 39% in recent years, organizations still find ways to extend the process and dodge the fines.

Just this week, Meta has been hit with the biggest fine to date of £1.2 billion for their use of standard contractual clauses (SCCs) to move data to the US, but they plan to appeal. This complaint was originally lodged back in 2013, marking how long the process has taken to get to this stage.

GDPR was intended to hold large tech companies accountable for their data-handling practices. However, some critics argue that these companies have managed to navigate the regulation effectively, and the fines imposed have not been significant enough to deter privacy violations. There are ongoing debates about whether the penalties imposed are proportionate to the scale of violations committed by some of the major players in the digital industry.

Complexity and compliance burden

For many businesses, the sheer complexity of GDPR is overwhelming. Particularly for small and medium-sized enterprises (SMEs) that may lack the resources and expertise to fully understand and implement them.

Complying with the extensive documentation, record-keeping, and reporting obligations has proven challenging for many businesses. This leads to compliance fatigue and potential gaps in adherence. Half of businesses only have a part-time data protection officer in place.

In a broader context, there’s also criticism that the sheer complexity of GDPR has led to individual supervisory authorities and national courts taking different interpretations. This then creates potential inconsistencies for organizations operating within multiple member states.

Poor implementation

Post-GDPR, many businesses implemented cookie banners and consent management platforms (CMPs), or used basic built-in functionality within their CRM platforms, to manage consent and compliance.

The problem? Many of these tools fall short of true compliance management, from substandard configuration to technical limitations. They’re not able to adapt based on multi-device preferences or handle multiple data sources across tech stacks.

As recently as last year, the European Data Protection Board released additional guidelines around dark patterns. Manipulative design tricks are causing potential data privacy violations. We’ve likely all come across websites that default to non-compliant practices like pre-checked consent boxes and implied consent tactics. These tactics weigh heavy on how businesses are perceived by consumers and what they’re doing with our data. Building trust needs to be at the forefront of privacy strategies.

Is GDPR ready for the future?

We all know technology evolves faster than litigation. But arguably the GDPR principles have been specifically developed to provide a solid foundation to guide organizations along their compliance journey.

Safety advocates argue that many companies at the forefront of innovation are putting privacy rights on the backfoot. Connected technology like smart wearables, smart TVs, autonomous vehicles and health tech pose big questions about how they collect and store personal data.

There’s also the huge implications of artificial intelligence (AI), which is evolving at such a rapid rate even the creators are calling for laws to mitigate risks. Italy even temporarily suspended ChatGPT over concerns it violated GDPR.

Technology needs to be built in line with GDPR principles and organizations must assess their use of tools like AI system’s impact on privacy and data protection.

Whilst GDPR has come a long way in five years, there’s still a long way to go to ensure it’s up-to-speed with what’s next.

It’s worth noting that, on the GDPR 5 year anniversary, it is a relatively young regulation, and its effectiveness and impact are still evolving.

As supervisory authorities gain experience and legal precedents are set, some of these challenges are expected to be addressed. Nonetheless, ongoing efforts to improve implementation, enforcement, and harmonization are essential to ensure the successful realization of GDPR’s objectives.

Learn more about how Cassie can help you achieve GDPR compliance without compromising your business goals.