Happy anniversary: The GDPR is three years old

25th May 2021: The European Union launched the General Data Protection Regulation three years ago today. Much has been achieved but many of the most complex data challenges remain.

The main aims of the GDPR were to empower people to help them to gain more control over their personal data and to provide companies with one set of rules to improve data security throughout the EU.

In that time, 661 known GDPR fines totalling €292 million were issued across the EU with Spain issuing the most at 222 followed by Italy with 73.

At Osborne Clarke, we have handled over 200 data and cyber incidents internationally since the GDPR came into force, approximately 70% of which have been notified to data regulators. Increased transparency has led to a substantial increase in both regulatory engagement and post-breach litigation. But it is perhaps the cultural change brought about by the GDPR that has been the most interesting trend to observe.

We are seeing a tangible shift in how GDPR compliance is perceived, from being part of the corporate compliance regime to being a commercial and reputational differentiator.

Mark Taylor, data and technology specialist and partner of Osborne Clarke commented: "Every business has had to think about GDPR over the last few years – however, not all businesses think about it in the same way. It's more efficient and less disruptive to take a "compliance by design" approach than to retrofit GDPR compliance. In turn, data privacy is becoming part of the corporate mind-set for many businesses. Across all sectors, we've seen our clients start to embrace the opportunity and potential competitive advantage from being perceived by customers and consumers as a 'privacy first' business".

Ashley Hurst, Co-Head of Cyber and Contentious Data Protection, added: "One of the marks of the success of the GDPR is its influence on the current wave of digital regulation coming out of Europe. The same basic set-up of a framework of regulatory obligations, plus national enforcement infrastructure, plus – the real GDPR differentiator – potentially eye-watering fines, is now coming down the track for consumer law, online harms, data governance, AI regulation, to name a few. Having seen how GDPR compliance can start to power advantage, businesses may see these new regimes as more than just additional regulatory cost and risk."

Now that the foundational compliance regime is in place and being replicated across the world, the more exciting challenge of exploiting data to achieve business and societal challenges, such as decarbonisation, can proceed with more certainty.

In terms of what to expect in the next three years, complex challenges still to be tackled include how the GDPR applies to some of the AI solutions being developed and rolled out, how businesses will store and transfer personal data to get around adequacy concerns resulting from the infamous Schrems case, how the adtech ecosystem will adapt to create a sustainable operating model, and how data privacy rights will be reconciled with freedom of expression as part of the increased regulation of online safety.

For the post-Brexit UK, there's no sign of any radical departure from the legacy GDPR approach for UK data privacy. Data has been identified as a priority in international trade agreements, and we're expecting announcements soon from DCMS about the countries beyond the EU with which it will prioritise reaching data adequacy agreements so as to facilitate international data flows for UK based businesses.

For more information on data and cybersecurity challenges, please contact one of the experts below.