GDPR Three Years On: What is next for the regulation

GDPR Three Years On: How can the European Commission support SMEs to reach an impeccable level of data protection compliance?

Who doesn’t remember the implementation of GDPR? It’s hard to believe that it was just three years since GDPR was introduced in the EU. Today, we’re taking a look back to understand just how GDPR has changed or improved the livelihoods of businesses and consumers today, whilst contemplating what exactly is next for the regulation and the European Commission.

Initial reactions & shift in focus

When GDPR was initially announced in 2017, a persisted sense of skepticism hung across organisations of all sizes across the union. Mainly, this related to the lack of time given to allow firms, in particular SMEs, to uphaul their operations to fit into this new sense of operating, as well as the fear of what fines may be in store for organisations failing to comply. Many businesses argued that EU governments would expect businesses to put new strategies into place with no help or guidance from regulators themselves. It wasn’t until the infamous Cambridge Analytical Scandal in 2018 that consumers and businesses alike truly understood the urgency of personal data privacy, thus accepting the new regulation with open arms. At this point forward, a shift in GDPR focus converted from an irritating regulation or even obstacle towards business operations, to one of massive importance.

One year on – Impact & predicaments.

One year later – leading us to May 2019, GDPR had been adopted and businesses all over the EU were scrambling to ensure that they could avoid any heft fines. Following initial concerns, there were in fact multiple teething problems which the European Union and firms were forced to face. It was primarily contended within the first year of operation that GDPR did not in fact live up to expectations due to pitiful fines being handed out by regulatory bodies. SMEs felt as if they had been left behind in the GDPR conversation as they were left to struggle to implement efficient operations in place in time. Even consumers were already feeling a sense of fatigue due to the influx of unclear communications from organisations across the EU, leaving consumers feeling lost and unclear on how they could take full control of their data.

Despite these initial complications, GDPR was universally accepted as a positive force and change to come. According to a 2019 report published by Deloitte, 44% of survey respondents believed that organisations hold the protection of customer data as a higher priority and care about consumer privacy significantly more since GDPR law came into place. Consumers also felt empowered to reshape the conversation about their data, enabling those who felt concerned about the way in which their data was stored and shared to demand better. GDPR also ignited a worldwide discussion, sparking a conversation for countries such as the USA to discuss how they should be protecting the data of their citizens.


Two years on – Lessons learned.

Moving forward to 2020 – two years on from the implantation of GDPR, despite numerous organisations now taking GDPR within their stride to reach a reasonable level of compliance, there remained a percentage of SMEs still struggling with the costs involved in ensuring compliance. Whilst technical compliance towards GDPR had begun to be reasonably met, operational compliance still fell short from the mark due to issues such as complex processes, lengthy documents and general lack of training and awareness. The European Commission specifically pronounced 2020 as great groundwork being put into the protection of personal data; however, did admit that more still needed to be done, specifically in the realms of re-enforcement and highlighting the needs for national Data Protection Authorities to engage with EU representatives of overseas operators rather than the operators themselves who, sitting overseas, may feel less urgency regarding compliance.

Overall, the European Commission had found that across the first two years of regulation, there had been a number of improvements brought about by the GDPR, including a level playing field for businesses across Europe, a greater awareness of citizens’ rights, and the GDPR’s flexibility to adapt to new technology.

Three years on: Where are we now and how do we proceed?

Reflecting on the past three years on GDPR, its clear that the regulation has held a lasting impression and insightful impact across the globe, with places such as California and the United Kingdom (post Brexit) even implementing their own versions of GDPR into commercial law. Concerning issues that had stemmed within the first two years of operating, it seems that regulators have vastly improved the fairness and operations involved. Fines regarding GDPR for example totaled to £245.3 million throughout Europe as of January 2021, and a total of 160,921 personal data breaches have been recorded. The greatest fines have been cast to Google, British Airways, H&M, Marriott and Telecom. Fines typically were considered to be higher depending on the severity of a data breach, which in retrospection is considered a fair system for organisations.

Despite GDPR creating this impact however, reflecting on the 2020 pandemic and the rise of worldwide data breaches, it is perhaps time that the European Commission shifts from focusing on GDPR as ‘groundwork’ into a fool proof aid in which organisations can follow to fully protect the rights and data of their consumers. Despite this being a priority for the European Commission to consider within the next five years however, there are still glaring issues regarding the lack of resources and financial aid for SMEs to follow through with this basic groundwork level of regulations.

The primary limitation of GDPR which is considered to be prominent within business operations is the cost and limited resources available for organisations to improve their compliance, with no certifications or training provided for specific GDPR matters. The closest that organisations can currently run is the International Association of Privacy Professionals as the gold standard; however, this has not had approval from GDPR regulators. This has caused many SMEs to still fall behind on GDPR expectations, as there is still an overwhelming lack of support.

It is therefore essential as we move forward into the world of GDPR, that the European Commission create a fair and equal playing field to allow all organisations of any size to access low cost resources which can enable them to improve the level of compliance for their consumers, especially if regulations will tighten over the next five years. Although there are several low-cost solutions within the data storage market, such as affordable data storage hardware encrypted drives by certified and GDPR compliant vendors, the European Union must do more to provide low cost training and resources for SMEs before discussing how GDPR regulations can be strengthened.