top of page

GDPR - 5 Years Later, What Has Changed?

The General Data Protection Regulation (GDPR) is a crucial framework that safeguards the privacy and rights of individuals in the digital age. Its importance cannot be overstated, as it addresses the growing concerns regarding the collection, storage, and processing of personal data by organizations worldwide.

We heard from top privacy experts on how the landscape has changed under GDPR. Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA):

“The rock in the pond that is the GDPR continues to cause ripples that affect everything in the vicinity. Seven years after the GDPR was adopted, five years after enforcement began, it is difficult to not see the results of the regulation, to date.

Starting in the EU by law, behavior is spreading to other countries and jurisdictions. In the United States, any state or territory creating privacy regulations models them after the GDPR. Merchants and vendors know what they need to do, even when they do not know how to do it yet. The best behavior change is with consumers.

Although we have yet to complete the journey, more and more consumers are seeing the value of their identity and the security that protects the privacy of their identity. That may be the biggest long-term benefit.

I look forward to the next five years to see what changes continue to ripple across the pond.”

George Gerchow, IANS Faculty and CSO and SVP of IT at Sumo Logic:

“The General Data Protection Regulation (GDPR) is an evolving regulation, and there are several developments expected in the coming years.

Emerging Technologies - As new technologies such as artificial intelligence and the Internet of Things become more prevalent, there will be a need to assess their impact on data protection and privacy. The European Data Protection Board (EDPB) is expected to provide guidance on the application of GDPR to these technologies.

ePrivacy Regulation - The European Union is also working on a new ePrivacy Regulation, which will complement GDPR by providing specific rules on the use of electronic communications data. The regulation is expected to be finalized and adopted in the near future.

Overall, GDPR is likely to continue to evolve and adapt to new challenges in the coming years, with a focus on protecting individuals' privacy and personal data in an increasingly data-driven world.”

“Reflecting on another year of GDPR reminds me that the mere existence of this regulation has been a global game changer. From California Consumer Privacy Act of 2018 (CCPA) to the Personal Information Protection and Electronic Documents Act (PIPEDA), GDPR has been driving the notion of data privacy across the globe. To me, it’s a good example of what potential global policy could look like. Looking back at 2021, though the fines were not the highest we’ve seen, there were still some very hefty fines levied in 2022 with Meta and Clearview being the two organizations hit the hardest.

There are also two additional things being worked in the background to enable GDPR to keep up with the new threats to data privacy and reduce some of the current complexity that exist in its current state.

There is currently a Data Protection and Digital Information Bill, which had its first reading in May 2022, that seems to be stuck. This new bill seeks to simplify GDPR and make it more agile to adapt to the needs of organizations trying to create data privacy policies and architectures that enable them to meet the specific controls of GDPR.

Additionally, in an effort to combat the risks being introduced due to the AI phenomenon, there is work that is being looked at to identify the intersection between the Artificial Intelligence Act (AI Act) and GDPR. The outcome could be very interesting in how organizations meet GDPR as it relates to privacy data and artificial intelligence.

As we look forward, we should pay close attention to the EU-US Data Privacy Framework and the impact it will have on transmitting data into and out of the EU. This will make transferring data between countries a lot easier and potentially more clear as it relates to GDPR and the related controls.”

“Consumer privacy has been a huge concern since the dawn of the internet. Aside from the obvious security concerns, people started to realize that their personal information was a commodity that was being monetized and exploited by large corporations (sometimes of dubious integrity). GDPR was the first truly wide-reaching attempt to codify and enforce consumers’ (and employees’) rights to privacy.

When it launched, most companies were scratching their heads about how to comply – or even if they needed to comply. GDPR was seen as a significant barrier to doing business in the European Union, the United Kingdom, and other geographies that had adopted GDPR-style legislation.

However, over the last few years, GDPR has become a standard – and has changed the way companies talk about privacy. Impacting everything from policy and legal considerations to product design to operational processes. Thanks to GDPR, consumer and employee privacy protections have been normalized throughout the global corporate world.

Two factor authentication is not required but preferred for accessing systems that process personal data, per the guideline issued by ENISA — the European Union Agency for Network and Information Security — which advises member states and private sector organizations in implementing EU legislation. However, given the current state of multi factor authentication which can be easily breached, we highly recommend that the organization should leapfrog and move toward a tighter authentication with invisible MFA and eliminate passwords.”

Alastair Parr, SVP of Global Products & Delivery, Prevalent Inc.:

“As it celebrates its fifth year driving positive change, GDPR continues to impact the practice of third-party management with its treatment of privacy as a core requirement. To this end, privacy teams are operating in lockstep with procurement and information security teams, ensuring that GDPR obligations are specified and tracked throughout the third-party lifecycle. Accordingly, we expect businesses to become better at tracking non-conformities within their extended enterprises.

As well, we see that organizations are beginning to see data privacy obligations as a global expectation, not just a requirement of their EU operations. For example, CCPA, the DPA 2018, and PIPEDA all bear a strong similarity to GDPR, reinforcing the perception that it set the precedent for what good data protection practice looks like for consumers and businesses alike.”

"While no law is perfect, the GDPR regulation was one of the most ground-breaking, necessary, and extremely well crafted pieces of cross-border legislation in recent history. Protection of Personal Data is critical to a well-functioning and open society, and while GDPR didn't stop the abuse of big technology companies, it made the consequences of their actions substantive and many, including Google and most recently Meta have been fined billions of dollars for their abusive handling of Personal Data. Even the definition of "Personal Data" per GDPR, was forward looking in that it cast a wide net, anticipating that tech companies would try bypass the definition to continue to harvest, export and profit by exploiting the data made available to them. The law was both clear and manageable and therefore it has become a framework for many data privacy laws around the world. If you ask if the law has been effective, I will give a resounding "yes", and back it up by the data in a recent Cyber Threats Report1. on the security of mobile applications, where European based fintech companies outperformed their US counterparts by a significant margin."


bottom of page