5 years of the GDPR – where do we go from here?


It’s difficult to grasp that five years have passed since the coming into force of the GDPR. The much-awaited landmark regulation came into force on the 25th May 2018 and the world of privacy has not looked back.

The ripple effects of the GDPR can also be seen in the implementation of GDPR counterparts in different jurisdiction outside of the EU, such as Brazil’s LGPD, leading to an unprecedented shift in the global privacy landscape. Within the EU, the GDPR paved the way for the development of an increasing number of guidelines by the European Data Protection Board (the ‘EDPB’), which, along with the number of court decisions and administrative fines issued over the past five years, have served to enhance the EU data privacy legal framework.

Whilst, as evidenced in its register of decisions, the number of data subject complaints filed with Malta’s data protection authority, the Information and Data Protection Commissioner (the ‘IDPC’), has increased immeasurably, a concern across the EU is that the knowledge of rights by data subjects according to the GDPR is not measuring up. Some businesses are still falling behind in the provision of adequate information to data subjects on the processing operations being undertaken or setting up of an appropriate infrastructure to handle the exercise of data subject rights. A clear example of this issue was investigated by the IDPC in 2020 further to the submission of a data subject complaint. The IDPC determined that the personal data being processed was only partially provided following a right of access request and the privacy policy implemented by the controller did not satisfy transparency requirements arising from the GDPR. In light of this, the controller was issued a €20,000 administrative fine by the IDPC.

This issue is intrinsically tied to a lack of a systematic approach to data privacy within an organisation. The key aspect here is accountability, so agreeing on roles and responsibilities within the organisation as an initial step is crucial. This needs to be reinforced by training team members on their responsibilities within the business’s data privacy framework, including ongoing refresher sessions on any new policies and procedures, or updates to existing internal documentation. Continued compliance with the GDPR is no easy feat so businesses are encouraged to take an active approach – the more integrated data privacy practices are in day-to-day operations, the easier compliance becomes.

This is particularly relevant to and goes hand in hand with the implementation of technical and organisational measures appropriate to the processing operations being undertaken. Developments in and increased reliance on technology has exposed businesses to security risks and cyber threats. The number of personal data breaches suffered by local businesses has increased, with the IDPC investigating data breaches varying from credential stuffing attacks, brute force attacks and ransomware to device theft and unauthorised disclosures as a result of human error. Assessing the adequacy of the security measures that your business has in place is therefore an indispensable part of your GDPR compliance journey. This assessment should also extend to the measures being implemented by data processors engaged to process personal data on the business’s behalf, particularly where these data processors are established outside of the EU. In 2022, the IDPC issued a €250,000 administrative fine, the largest GDPR fine issued by the IDPC to date, to a controller for failing to assess the appropriate level of security taking into account the risk of processing; and for failing to implement appropriate technical and organisational safeguards to mitigate the risks of external malicious attacks.

This five-year mark is also expected to come with changes. The current chair of the EDPB, Andrea Jelinek, has made it clear that going forward, the EDPB’s focus will be shifting from guidance to enforcement, and that “[organizations] have to show that they’re compliant and if they’re not, they will be fined.” And the EDPB is not waiting around. Just a few days ago, further to instructions from the EDPB, the Irish Data Protection Authority issued a €1.2 billion fine, the largest GDPR fine ever, to Meta Platforms Ireland Limited for transfers of personal data to the USA in breach of the GDPR.

So what should be the main take-away on the 25th May 2023? In short, compliance with the GDPR is ongoing, not something you ticked off in 2018 and then put on the back-burner. This five year anniversary since the coming into force of the GDPR should therefore serve as an opportunity to bring your privacy compliance up to speed. Improving your business’s data privacy framework sooner rather than later is also ideal in light of the several upcoming EU regulatory initiatives, including the Cyber Resilience Act, amongst others. If your business is still catching up with the GDPR, this will undoubtedly create a ‘compliance backlog’ when these new pieces of legislation come into force, which compliance backlog will unfortunately result in an administrative burden on the business.

Lastly, let this day remind each and every one of us, in our own capacity as data subjects, the worth of our personal data. Let it remind us to, in the purchase of services and products, choose businesses that recognise the importance of data protection. Ultimately, the GDPR exists to protect our data and serves to preserve our fundamental right to privacy. Five years down, many more to go!