The Impact of GDPR: Six Years Later

The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, marking a significant shift in how data privacy is regulated. In this article I try to assess whether this landmark legislation has achieved its intended goals and its operational impact on organizations around the world.

Adoption and Influence of GDPR

The GDPR has undoubtedly had a far-reaching impact, influencing data protection laws worldwide: 

• By 2024, 137 countries now have national data privacy laws. Many such laws are modeled after GDPR and cover 6.3 billion people or 79.3% of the world's population.
• Countries like Brazil (LGPD), United States (California CCPA), and India (DPDPA) have introduced similar regulations.
• One of GDPR's primary goals was to give individuals more control over their personal data. In 2019, just after one year of GDPR coming into effect, 69% of the EU population (aged 16 or older) were aware of GDPR and 71% of people had heard of their national data protection authority.

What has happened on the ground? 

• By 2023, over 1.9 million complaints have been filed under the General Data Protection Regulation (GDPR) across Europe. This number reflects the increasing awareness and enforcement of data protection rights since GDPR's implementation in 2018.
  
• A significant portion of GDPR complaints has centered around practices such as telemarketing, promotional emails, and video surveillance.
  

For many, the GDPR has been effective in addressing complaints, but there is still room for improvement in ensuring consistent enforcement across different countries. Additionally, successfully adapting the framework to emerging technologies like artificial intelligence (AI) is crucial, as these technologies introduce new risks to data privacy. The new EU AI Act aims to address these concerns by aligning data protection regulations with AI developments.

Compliance and Enforcement

While many organizations have made efforts to comply with GDPR, enforcement has been a mixed bag:

• As of 2023, over €1.6 billion in fines have been issued under GDPR.
• Notable fines include €746 million to Amazon (2021) and €405 million to Meta (2022).
• However, many argue that enforcement has been inconsistent, with some major tech companies facing minimal consequences.

Companies have been driven to implement controls and regulations not just due to legal reasons, but also mature businesses demand it from them. A responsible business would not want to do business with a non-compliant business due to the indirect risks which can be damaging for their reputation.

Economic Impact

The economic effects of GDPR have been significant:

• A 2020 IAPP-EY survey found that 67% of companies spent over $100,000 on GDPR compliance, with 20% spending over $1 million.
• The same survey reported that 83% of companies consider privacy a board-level issue, up from 59% in 2017.

Cost of compliance is far less than the cost of non-compliance, so every organization should invest in achieving the required level of compliance. 

Challenges and Criticisms

Mandated with all the good intentions, GDPR has received criticisms and faced several challenges:

• Small businesses especially struggle to become and remain compliant due to limited resources.
• Some people even argue that GDPR has unintentionally strengthened the position of large tech companies with virtually unlimited resources.
• For many, the clauses are not easy to understand and the resulting complexity has led to varying interpretations and implementation strategies.

Conclusion

While GDPR has definitely raised awareness about data privacy (not just for EU subjects but worldwide), and compelled companies to be more transparent about their data practices, its full potential is yet to be realized. There's work to be done to achieve the regulation's intended goals fully, it will always be regarded as a giant step in the right direction.

Disclaimer

This blog offers information only and is not legal advice. While we strive to keep the information accurate and up to date, GDPR regulations may change, and interpretations vary. 42Gears Mobility Systems Pvt.Ltd (including its subsidiaries and affiliates) is not responsible for actions taken based on this content.