The GDPR is 5 years old – where are we now?

The EU General Data Protection Regulation (GDPR) law governing data protection first came into force on 25 May 2018. The GDPR turned 5 years old this month – happy birthday GDPR!

This ground-breaking law has changed the privacy world forever and, in this article, we will explore some key highlights on its impact and what is yet to come. 

See our article on how to comply with the GDPR here

Where did we start?

When the GDPR came into force in 2018, it brought with it a very steep learning curve for organisations processing personal data. It took a very long time for organisations to understand the changes the new law brought and what it really meant for them.

You may recall that there was a mad rush for businesses to ‘get compliant’ in 2018 – unfortunately, there was also a lot of scaremongering and a real misinterpretation around fines, with many businesses fearing being fined millions by the data protection regulators.

The GDPR was legislation which had been years in the making and it was extremely ambitious and vast in its scope in many respects– naturally, therefore, it had a long way to go before businesses could truly get to grip with it.

What happened over the years?

Since the GDPR came into force, we’ve seen challenges to data privacy that have been unprecedented (such as the global pandemic) and threats to privacy which have seriously probed organisations.

The law brought with it striking changes and organisations processing personal data had to adapt to working with it, by taking time to understand the rules applicable to them and carefully analyse the steps required for compliance.

Some of the most prominent changes brought by the GDPR were extremely high regulatory fines for breaching data protection laws (including fines for data protection law breaches of up to £17,500,000 or 4% of total worldwide annual group turnover, whichever greater), organisations needing to focus on ‘accountability’ to demonstrate compliance (for example by maintaining a Record of Processing Activities) and the ‘extra territorial’ reach of the GDPR, meaning companies outside of Europe also needed to comply to the extent that this law caught their data processing activities.

Now, 5 years on, there seems to be a more general widespread public understanding of how the law works and we’ve seen that businesses are focussing more on nuanced data protection issues relevant to them. In fact, the UK ICO has focussed on publishing detailed guidance on more technical and niche issues such as artificial intelligence, perhaps because organisations seemed to have grappled with the basic concepts in the last 5 years and the ICO now wishes to focus on more complicated areas.

It seems that the GDPR has been successful in bringing data protection to the forefront of board agendas and encouraging companies to take the protection of personal data seriously. Indeed, despite regulatory fines, the focus of this law is to improve ethics and standards around data protection and help businesses get this right by adopting a culture of privacy.

In the wider world too, many say the GDPR has set a ‘gold standard’ of privacy law and other countries globally have followed suit. We’ve seen that countries have started to develop privacy laws similar to the framework of the GDPR and it seems that the GDPR gave rise to a general increased awareness of the importance of protecting personal data globally, for example, we have seen the introduction of the California Consumer Privacy Act in California. The global discussions on privacy laws and their importance are a great achievement of the GDPR.

What are some of the key themes and developments we’ve seen over the past 5 years?

A lot has happened in the past 5 years, but here are some key issues of interest:

• Compliance with data protection laws needs sufficient time, resources and effort and has been taken more seriously since the GDPR came into force. Personal data sits at the heart of virtually all businesses – the GDPR has required organisations to comply with several obligations and therefore put a lot of time and effort into compliance. For example, organisations need to provide a range of comprehensive information to individuals in their privacy notices, continually review and update their policies, stay up to date with data protection law developments and guidance and keep thorough records around ‘consent’. Since the GDPR came into force, compliance with data protection laws is by no means a ‘tick box’ exercise and is more so a serious business task.

• Insufficient information security and personal data breaches are very high risk. We have seen that a vast number of UK ICO enforcement actions have related to companies not having in place appropriate security to safeguard personal data. Personal data is still being processed unlawfully by some businesses and those businesses need reminding to focus on compliance. Businesses need to focus on compliance continuously and not become complacent simply because the law has been in force for 5 years. Since the global pandemic, more and more people are working remotely, and this has posed a threat to personal data – particularly as data breaches are now far more common. This is an area which every business should really focus on continuously and work to ensure that they have appropriate security measures in place to safeguard the personal data which they process.

• Individuals are much more aware of their rights and subject access requests are increasingly common. Consumers and employees alike are all very aware of their rights and data subject access requests have been on the increase. Businesses should be well prepared and well versed in dealing with these requests, as it’s an expectation that most businesses will receive requests or at least questions from individuals on how their data is handled. Subject access requests have certainly been a pain point for businesses, much more so over the last 5 years.

• International data transfers of personal data are increasingly complicated and there is a lot to keep on top of. The case of Scherms 2 which invalidated the US Privacy Shield brought with it several complexities and lessons around international data transfers. Regulators have released new versions of ‘Standard Contractual Clauses’ for the transfer of personal data outside of the EEA and there are onerous requirements to comply with, such as carrying out appropriate transfer risk assessments. Businesses really need to gets to grips with this complex area and ensure their international transfers of personal data are compliant – see our article for further information
• Fines for breaching data protection laws have increased and the headline fines have been a warning to businesses that there still a long way to go. In fact, it was reported that the UK ICO tripled its fines in 2022. Tik Tok was fined 12.7 million for misusing children’s data and Meta was recently fined a staggering 1.2 billion Euros by the Irish data protection regulator. Whilst fines are not the focus of the data protection regime, they are a warning to businesses of what can do wrong if these strict legal rules are not followed correctly. See our article for further information on what can happen if you get data protection compliance wrong.

• There are new challenges to privacy laws, as our digital world and its new trends continue to develop rapidly. The data protection law framework continues to advance and become more complicated, shown by the UK ICO now releasing new guidance on niche areas such as artificial intelligence. Indeed, new developments such as issues around facial recognition and tech ChatGPT have given rise to a host of new data privacy considerations – see our article on this interesting topic here. Those with responsibility for data protection compliance, in particular DPOs, need to continuously update themselves on recent developments and guidance published by regulators, to say on top of compliance. These developments again show that there is still work to do in this space and compliance should be top priority.

• The UK has been granted ‘adequacy status’ by the EU, meaning personal can continue to flow freely from the EU to the UK for now, but is also developing its own framework for privacy laws. Following the UK's withdrawal from the EU, the GDPR was adopted into UK law and known as the ‘UK GDPR’. In the UK, the UK Data Protection Act 2018 (DPA 2018) has implemented and supplemented the UK GDPR. However, there are proposals to reform data protection law in the UK by way of the ‘Data Protection and Digital Information Bill’, intended to simplify data protection law in the UK. See our article on this development here. It remains to be seen how far the UK own data protection regime will diverge from the EU’s, particularly as the UK needs to maintain its adequacy decision from the EU to allow for the free flow of personal data.

What to do now

To summarise, a lot has happened in the last 5 years, and these are some of the key developments which businesses should understand.

We advise businesses to continue to review and focus on their compliance – for example, by reviewing their legal obligations, ensuring their records for ‘accountability’ purposes are fully up to date and carrying out refresher data protection law training for staff.

The GDPR (and the UK GDPR) are focussed on ensuring that individuals can trust that their personal data is processed safely, and data ethics is at the heart of compliance. We have seen several technological advancements in the last few years and technology will only continue to develop (notably in the case of artificial intelligence) and therefore it is vital that businesses follow these mandatory data protection law rules, particularly as the amount of data they collect and use increases.

As both individuals and countries globally are recognising the importance of data protection laws, strong data protection compliance is a must for every business and protecting personal data should become a default habit.

If you’d like legal advice on the data protection law regime and specific rules your business needs to follow, please contact us and our experienced data protection law team can help.