GDPR 5 years on

Exploring the Pros, Cons and Myths with Data Professionals

With much fanfare, the General Data Protection Regulation came into effect on 25th May 2018.

GDPR’s purpose was to harmonise data protection rules across Europe, to enhance individual privacy rights and make organisations more accountable for how they collect, use and protect personal data. Transparency, accountability and data protection by design were the core themes running through the new legislation.

For some, the GDPR was just another challenge to be managed. To others, it was an opportunity to demonstrate high standards and stand out from competitors. Many, probably fell somewhere in between.

Following a huge surge of compliance activity in the run up to May 2018, some organisations have continued on their data protection journey. Others might have old GDPR policies gathering dust – the data protection equivalent of the Millennium Bug. What was the fuss about? Well, ask Meta, recently slapped with a 1.2 billion euro fine by Irish regulators for GDPR breaches! The biggest GDPR fine ever.

The world moved on. Brexit led to its own UK GDPR ‘spin-off’. Many other countries outside Europe introduced or updated privacy legislation using GDPR as their benchmark. Max Schrems became even more infamous for challenging Facebook/Meta, time and again on international data transfers. The Covid pandemic raised a plethora of new data protection issues.

Advances in technology such as AI increasingly vex data protection teams. GDPR caselaw continues to evolve, the regulation tossed around in a never-ending storm of legal battles. This is normal; most game-changing regulations are subject to scrutiny by interested parties in courts of law. In theory, GDPR should be finessed as a result.

Where are we now? Five years on, we’ve sought the views of experienced data protection professionals. What benefits has the GDPR brought with it? What challenges remain? And what does the future hold?

GDPR benefits

Robert Bond, Senior Counsel, Privacy Partnership Law believes organisations which took GDPR seriously in the first place are in a good place now;

“5 years ago, organisations of all sizes were struggling with the requirements of the GDPR, from updating Privacy Notices to completing the ROPA, doing DPIA’s and managing accountability and transparency. In the past 5 years my clients have realised that the return on investment for all of their hard work in being compliant, is that they are not only reaping the value of personal data as an asset, but are better prepared to comply with the fast development of global data privacy laws which are heavily influenced by the GDPR.”

Stephen Baigrie, Managing Counsel, IT, Procurement & Privacy at Balfour Beatty, believes GDPR has enabled a positive culture surrounding data protection.

“For organisations, GDPR has put data protection further up the corporate risk radar. The transparency and accountability requirements have helped create more of a culture whereby organisations have to be more accountable for processing activities. The need to carry out data protection impact assessments, if done properly, has helped organisations de-risk processing activities.”

GDPR put data protection firmly in the public spotlight, and this is a key positive for Natasha Warner, Director, Privacy Practices & Risk Management at American Express;

“GDPR has significantly increased public awareness of the importance of data protection, which in turn has raised the profile of privacy and data protection on the corporate agenda. Since 2018 the business case for investment in a robust privacy risk management program has been strengthened, allowing the public to have clear expectations about the standards that should be applied across industries to protect their data.”

GDPR myths

GDPR spawned its own myths and disinformation, not helped by some ridiculous decisions taken in the name of GDPR. The “we can’t do that, because of GDPR”. Here are just some of the myths which five years on, sometimes still need to be dispelled.

  • Consent is always required to collect and handle people’s personal data. NOT TRUE. There are six lawful bases to choose from, GDPR tells us to select the most appropriate for what we are doing. Lawful Basis Quick Guide
  • Consent is always required for all direct marketing. NOT TRUE. In the UK, some forget (or have not even heard of) GDPR’s much older cousin, the Privacy and Electronic Communications Regulations (PECR) which govern direct marketing by electronic mail or telephone. PECR tell us when consent is needed and when it isn’t. And outside the remit of PECR direct marketing can be undertaken under the organisation’s legitimate interests. GDPR & PECR
  • Data Protection Officers – all organisations need one. NOT TRUE. DPO myth buster
  • It’s all about fines. NOT TRUE. Only the worst offenders will be fined, but there are plenty of other sanctions available to data protection authorities.
  • Data sharing is forbidden. NOT TRUE. Data protection law requires us to make sure data sharing is done transparently, lawfully, fairly, securely and proportionately.
  • Erasure requests must always be fulfilled. NOT TRUE. There may be circumstances in which you can justifiably decline to delete someone’s data.

GDPR challenges

Compliance with any major piece of legislation will present difficulties. There may also be some justification to allegations GDPR is too prescriptive. And it’s not just in the UK that GDPR has critics, there are people within the EU calling for reform as well. In our experience at DPN, some of the key challenges are:

  • Meeting the requirements for International Data Transfers
  • Creating and maintaining a Record of Processing Activities (RoPA)
  • Handling complex Data Subject Access Requests
  • Assessing if a personal data breach is reportable or not
  • Embedding data protection by design and conducting Data Protection Impact Assessments (DPIAs).
  • Managing the data supply chain.

Stephen Baigrie says compliance with GDPR has taken time and money.

“For organisations with limited resource, GDPR has undoubtedly created an additional load. It is a complex piece of legislation and is resource-intensive and expensive to fully comply with and maintain compliance on. There is also a challenge regarding finding affordable and accessible technology solutions to help facilitate compliance particularly on areas such as retention for instance.”

Marketing and data protection professional John Mitchison says the challenges continue to be felt five years on, especially for smaller businesses.

“Smaller organisations still face difficulties in complying with the complex requirements due to limited resources and expertise. Additionally, the lack of certainty about the correct approach to compliance is a challenge, as interpretation and guidance can vary.”

John also believes organisations which flagrantly disregard the rules continue to undermine GDPR.

“We have the problem of larger organisations and those involved in online advertising ignoring the rules. Despite the potential for substantial fines, many organisations continue to prioritise their business interests over data protection. This non-compliance not only undermines the principles of GDPR but also raises issues of accountability and fairness in the digital ecosystem.”

Data protection – the future

Five years on, what does the future hold?

Elizabeth Smith, Senior Data Protection and Customer Solutions Expert, DPOrganizer believes global engagement is key.

“In 2022, Gartner predicated that by year end 2024, 75% of the world population would have modern privacy regulations. With different regulations applying globally and the cyber world becoming borderless, is it important that there is global engagement and harmonisation.”

With the increased technical advancements and greater use of AI, it is imperative that privacy is kept at the fore of developments. The challenge is for society, industry, innovators and regulators to collaborate to ensure data protection is not jeopardised.

In the UK, we have the prospect of changes to data protection law, but as Dominic Batchelor, Head of IP & Privacy at Royal Mail Group points out, these changes are not as ambitious as they might have been.

“The Government’s relatively restrained approach to revising UK GDPR suggests we will continue to have broadly the same data protection regime for the foreseeable future. Most of all, this emphasises the priority given to keeping cross-border data flows simple, although the opposition to the EU’s Trans-Atlantic Data Privacy Framework indicates this will not always be straightforward and further legal challenges seem likely. In short, the next five years could well look much like the past five.”

Claire Robson, Data Protection Officer at the Great Ormond Street Hospital Children’s Charity, feels the prospect of changes to UK legislation adds complexity.

“Five years on from GDPR, and as we seek to move towards a new legislative framework, we are faced with having to keep on top of UK laws, as well as those applying across other territories. Although the divergence may be considered small, some differences are likely to have significant impact and will bring added complexity.

For the in-house privacy professional, striking the balance between compliance, security, and user experience, ensuring internal processes are unobtrusive but retain the robustness underpinned by GDPR, will become ever more challenging.”

Stephen Baigrie points to the growing issues generative AI is throwing up.

“I think given the recent pace of development seen on AI, use of generative AI will continue to be a data protection challenge for organisations and individuals in the future and, with the EU AI Act and UK Government AI white paper, an area of potential further divergence by the UK.”

And so, at five years old, our understanding of GDPR evolves as governments (and law courts) continue to work through interpretations of the regulation. This seems inevitable, given the complexities of global business, international tensions and ever-evolving technology.

What is important, though, is for businesses to understand the underlying spirit behind the GDPR. Regulators and courts will always understand the difference between a mistake made in good faith and one that wasn’t. Understanding and alignment with the core principles is key.