Looking Back at 5 Years of GDPR

25th of May 2023 marks the five year anniversary of the General Data Protection Regulation, the privacy law that changed it all. Introduced in 2018 and effective as of 25th of May the same year, the General Data Protection Regulation (GDPR) brought about a significant shift in data protection and privacy regulations within the European Union (EU). Furthermore, it  replaced the Data Protection Directive of 1995, marking a new era of enhanced privacy rights and increased responsibilities for organizations handling personal data. 

While the Directive required member states of the European Union to enact national legislation, a need arose for a unified approach,when it became clear that said national legislation on personal data protection contained  significant differences. As a result, the GDPR came as a regulation directly applicable to all EU member states, which provided a unified legal framework, ensuring consistency and a holistic approach across the EU. Moreover, the GDPR creators have expanded this scope by introducing extraterritorial applicability. Not only are member states required to comply with the law, but companies located in other countries that process the personal data of EU residents are subject to it. 

Another shift introduced by the GDPR was a revised approach to consent collection and personal data use, as well as expanded individual rights. Data subject rights had existed before and could be found  across the former regulations, Convention 108 and the Directive. However, in most cases, data subjects were granted the right to access their personal data, be informed about the data collection, and have the ability to correct inaccurate data. The GDPR enhanced individuals' rights and introduced new rights, such as data portability, which allowed individuals to obtain a copy of their personal data or transfer their data from one organization to another, and the right to be forgotten, which enabled individuals to request data to be deleted.  In situations where a controller was required to continue storing data to comply with legal requirements, individuals were provided with the ability to restrict the processing and limit its storage only.  

Perhaps the most critical shift for the corporate world was brought on by the increased penalties for non-compliance, and the mandatory requirement to appoint a Data Protection Officer (DPO), which was in practice a requirement to have a dedicated person within the organization who would be responsible for ensuring compliance with the GDPR and cooperation with Data Protection Authorities. 

Overall, the GDPR has presented a more comprehensive framework than the Directive and its predecessors in other countries, as it aimed to strengthen individuals' control over their personal data, increase the transparency of how the data is collected and processed, and to bring accountability to organizations. Not surprisingly, other countries have appreciated the harmonized approach and more robust enforcement mechanisms introduced by it, and many more countries have introduced similar provisions into their data protection laws, such as Australia, Brazil, Canada, Chile, China, Hong Kong, Japan, New Zealand, South Africa, Switzerland. 

To date, this list continues to grow with more countries using the GDPR as a framework for their own data privacy laws. 

Over the past five years, the GDPR has significantly impacted businesses worldwide. One of the significant changes brought about by the GDPR is the increased awareness about the security and privacy of data processing among companies and individuals. Organizations are now more cautious about the data they collect and process, understanding the potential consequences of non-compliance. This has led to improved data governance frameworks, enhanced security measures, and a greater emphasis on privacy-by-design principles. As businesses adapt to the GDPR's requirements, data privacy and protection are expected to remain at the forefront of the evolving digital landscape. 

You can read our infographic on the impact that the GDPR has had over the past five years by downloading it here, and find out more about the regulations Clym supports, click here for a detailed overview of each one.