May 25, 2018 is a date every data protection specialist remembers. That day marked the start of GDPR application - the General Data Protection Regulation. Mailboxes filled with consent requests, websites were covered with cookie banners, and organizations worldwide frantically updated their privacy policies.
Eight years later, we can look back and assess how GDPR changed the world of data protection. This article summarizes the evolution, challenges, and perspectives for the future.
What is GDPR and why was it needed?
GDPR (General Data Protection Regulation) is Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. It entered into force on May 24, 2016, but became applicable after a two-year transitional period - on May 25, 2018.
Problems GDPR was meant to solve
Fragmented regulations: Before GDPR, each member state had its own data protection regulations implementing Directive 95/46/EC. This created a patchwork of regulations making cross-border activity difficult.
Inadequacy to the digital era: The 1995 directive was created when the internet was in its infancy. It didn’t anticipate big data, social media, mobile devices, or cloud computing.
Weak enforcement: Penalties for violations were low, and supervisory authorities had limited resources. Companies often ignored regulations because compliance costs exceeded sanction risk.
Lack of user control: People had limited knowledge about what happens with their data and little they could do about it.
How GDPR addressed these problems
Unification: As a regulation, GDPR applies directly in all EU states without the need for transposition. One text, one interpretation (at least in theory).
Modernization: GDPR introduced principles adequate to the digital era: privacy by design, right to be forgotten, data portability.
Severe penalties: Maximum penalties up to EUR 20 million or 4% of global turnover effectively got boards’ attention.
Individual rights: An expanded catalog of rights (access, rectification, erasure, restriction, objection, portability) gave people real control tools.
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
How has organizational approach to data protection changed?
Eight years of GDPR fundamentally changed how organizations treat personal data.
From compliance to culture
Before GDPR: Data protection was often treated as a formality - something to “check off” once a year during audit.
After GDPR: For many organizations, data protection became part of organizational culture. Privacy by design means thinking about data from the beginning of a project, not at the end.
Rise of DPO significance
Data Protection Officers (DPOs):
- Mandatory in many organizations
- Independent position guaranteed by law
- Direct access to highest management
- Profession and certification development
Statistics: It’s estimated that over 500,000 data protection officers work in Europe - a profession that practically didn’t exist at this scale before GDPR.
Tool investments
Privacy technologies:
- Consent Management Platforms
- Data mapping tools
- Data subject request handling platforms
- Anonymization and pseudonymization solutions
Budgets: Organizations spent billions adapting to GDPR - from system updates to employee training.
How has case law developed?
Eight years is sufficient time for rich case law interpreting GDPR to develop.
Key CJEU rulings
Schrems II (2020): The Court of Justice of the EU invalidated Privacy Shield - the mechanism for data transfers to the USA. The ruling shook transatlantic transfers and forced renegotiation of rules.
Meta Ireland (2023): Record fine of EUR 1.2 billion for Meta for data transfers to the USA. It showed that even tech giants are not above the law.
Fashion ID (2019): Joint controllership when embedding social plugins. Every site with a “Like” button became jointly responsible for processing.
Planet49 (2019): Pre-checked checkboxes don’t constitute valid consent. End of default consents.
Supervisory authority decisions
Largest fines:
- Meta: EUR 1.2 billion (Ireland, 2023)
- Amazon: EUR 746 million (Luxembourg, 2021)
- WhatsApp: EUR 225 million (Ireland, 2021)
- Google: EUR 90 million (France, 2021)
Main interpretive lines
Legal bases for processing:
- Consent must be freely given, specific, informed, unambiguous
- Legitimate interest requires balancing with individual rights
- Contract performance cannot be a pretext for broad processing
Data subject rights:
- Right of access includes information about automated decision-making
- Right to erasure is not absolute
- Right to portability applies to data provided by the subject
Security:
- Measures must be adequate to risk
- Personal data breach requires notification within 72 hours
- Controller responsibility doesn’t depend on fault
What impact has GDPR had globally?
GDPR extended far beyond European Union borders.
The Brussels Effect
Global standard: GDPR has become the de facto global data protection standard. Companies operating internationally often apply GDPR as baseline for all operations.
Legislation modeled on GDPR:
- Brazil: LGPD (Lei Geral de Proteção de Dados)
- California: CCPA/CPRA
- Japan: APPI (amendment)
- South Korea: PIPA
- India: Digital Personal Data Protection Act
- China: PIPL
Adequacy decisions: The EU issues decisions finding adequate data protection levels in third countries, promoting adoption of GDPR-like standards.
Impact on technologies
Privacy by design: Technology manufacturers began designing products with privacy in mind from the start.
Data minimization: Trend away from collecting “everything just in case” toward purposeful processing.
Decentralization: Increased interest in edge computing and federated learning technologies that limit data transfer.
Impact on business
New business models:
- Companies offering “privacy as a service”
- Consent management tools
- DPO as a service
- Audits and certifications
Competitive advantage: Privacy protection has become a marketing argument. “We respect your privacy” is now a standard message.
What challenges remain?
Despite successes, GDPR hasn’t solved all problems.
Enforcement
Overloaded authorities: Supervisory authorities are overwhelmed with complaints. Proceedings take years. Famous cases against big tech drag on endlessly.
Forum shopping: Companies establish headquarters in countries with “friendlier” authorities (e.g., Ireland), making effective enforcement difficult.
Interpretation differences: Although GDPR is uniform, authorities interpret provisions differently. Lack of consistency weakens legal certainty.
New technologies
Artificial intelligence: GDPR didn’t anticipate AI at current scale. How to apply minimization and purpose principles to models trained on enormous datasets?
Internet of Things: Billions of devices collecting data in ways difficult to control. How to ensure transparency and consent?
Biometrics: Face, voice, gait recognition. Special categories of data processed on a massive scale.
Cookie fatigue
Banner fatigue: Users massively click “Accept all” without reading. Is consent still “informed”?
Dark patterns: Interfaces designed to make refusing consent difficult. Regulators fight, but the problem persists.
Alternative solutions: Proposals like Global Privacy Control or Privacy Sandbox are attempts to solve the problem, but adoption is slow.
How is GDPR evolving?
GDPR itself doesn’t change (it’s a regulation), but its ecosystem does.
EDPB guidelines and opinions
The European Data Protection Board regularly issues interpretive guidelines:
- Guidelines on consent
- Guidelines on data subject rights
- Guidelines on international transfers
- Guidelines on administrative fines
These documents, though not legally binding, shape GDPR application practice.
New complementary regulations
AI Act: Artificial intelligence regulation supplements GDPR with specific requirements for AI systems.
Data Governance Act: Facilitates data sharing while maintaining privacy protection.
Data Act: Regulates access to data generated by IoT devices.
Digital Services Act/Digital Markets Act: Regulate internet platforms, including data-related aspects.
GDPR review
The European Commission conducted reviews of GDPR application. Main conclusions:
- GDPR works but requires better enforcement
- Practice harmonization between states needed
- Small businesses need simplified procedures
- Better cross-border cooperation necessary
How does GDPR affect cybersecurity?
GDPR and cybersecurity are closely connected.
Security requirement
Article 32 GDPR: The controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Measures mentioned in GDPR:
- Pseudonymization and encryption
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore availability and access to data in case of incident
- Regular testing, assessing, and evaluating effectiveness of measures
Personal data breaches
Notification obligation: Personal data breach must be notified to supervisory authority within 72 hours.
Notification to data subjects: If breach is likely to result in high risk to individuals’ rights, they must be notified.
Statistics: Hundreds of thousands of breaches have been reported across the EU since 2018. This shows both the problem’s scale and increased awareness of reporting obligation.
Synergy with NIS2
Common goals: GDPR protects personal data, NIS2 protects systems and networks. Secure systems mean secure data.
Mutual complementation:
- NIS2 incident may be a GDPR breach
- NIS2 security measures support GDPR Article 32 compliance
- Risk management covers both aspects
What practices work after eight years?
Organizational experience allows identifying good practices.
Risk-based approach
Not everything equally: Different processing operations require different measures. Medical data requires more than marketing data.
Impact assessment (DPIA): Regular data protection impact assessments for high-risk operations.
Prioritization: Focusing on biggest risks rather than trying to “do everything perfectly.”
Transparency
Understandable policies: Privacy policies written in plain language, not legal jargon.
Layered approach: Layered information - short summary plus full version for interested parties.
Proactive communication: Informing about changes, incidents, procedure updates.
Privacy culture
Training: Regular training for all employees, not just IT and legal teams.
Champions: Privacy ambassadors in various departments.
Privacy by default: Most private settings by default.
Documentation
Processing records: Current register of all processing operations.
Procedures: Documented procedures for handling requests, incidents, consents.
Evidence: Archiving consents, training, decisions.
What will the future bring?
Looking to the future, we can expect several trends.
Strengthened enforcement
More fines: Authorities are gaining experience and confidence. Fines will be more frequent and higher.
Faster proceedings: Procedural reforms aim to speed up case handling.
Better coordination: Cooperation mechanisms between authorities will be more effective.
New technological challenges
Generative AI: Language models trained on personal data. How to apply data subject rights?
Metaverse/XR: Biometric, behavioral, location data in immersive environments.
Neurotechnologies: Brain-computer interfaces and brain activity data.
Rights evolution
Right to explanation: Understanding algorithmic decisions.
Collective redress: Easier class actions in data protection cases.
Children’s rights: Enhanced protection for minors in the digital environment.
Summary - GDPR as foundation of digital rights
Eight years of GDPR is a success story with caveats. The regulation achieved many of its goals, but challenges remain ahead.
Positive balance
What succeeded:
- Raising awareness of privacy rights
- Creating a global data protection standard
- Professionalizing the field (DPO, tools, certifications)
- Forcing investment in security
- Giving people real control tools
Areas for improvement
Remaining challenges:
- Enforcement effectiveness
- Interpretation consistency
- Adaptation to new technologies
- Consent fatigue
- Burdens for SMEs
Key numbers - 8 years of GDPR
| Indicator | Value |
|---|---|
| Total fines | > EUR 4 billion |
| Highest single fine | EUR 1.2 billion |
| Number of reported breaches | > 500,000 |
| Estimated number of DPOs in EU | > 500,000 |
| Countries with GDPR-modeled law | > 30 |
Recommendations for coming years
For organizations:
- Treat GDPR as a continuous process, not a one-time project
- Invest in privacy culture, not just procedures
- Follow case law and guidelines
- Prepare for new regulations (AI Act, Data Act)
- Integrate data protection with cybersecurity
For individuals:
- Exercise your rights
- Read (at least briefly) privacy policies
- Report breaches
- Choose services that respect privacy
GDPR is not the end of the road but a solid foundation. On this foundation, we’re building a future where technology serves people, not the other way around.
Need support adapting your organization to GDPR requirements or integrating data protection with cybersecurity? Contact us - we’ll help conduct an audit and plan actions.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- Shadow AI — Shadow AI refers to the unauthorized use of artificial intelligence tools and…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Learn More
Explore related articles in our knowledge base:
- What is GDPR? A complete guide to data protection for companies operating in the European Union
- What is GDPR and What Are the Key Data Protection Principles in the European Union?
- PCI DSS Audits - Comprehensive Payment Data Protection
- Cyber security in public administration: How to protect citizens’ data and digital services?
- Defense in Depth - how to build multilayer protection against cyberattacks
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
