How 4 Years of GDPR Has Changed ...
How 4 Years of GDPR Has Changed the Priv...

How 4 Years of GDPR Has Changed the Privacy Landscape

GDPR turns four this year. What has this landmark legislation taught us, and what does the future look like?

Alexis Kateifides OneTrust Senior Center of Excellence Counsel

clock5 Min Read

Featured Image

The introduction of the GDPR marked the dawning of a new age in privacy and data protection legislation, opening the door to a growing global regulatory landscape.  

The GDPR forced organizations to start their data protection journeys to keep up with the evolving world of data privacy. With enforcement actions, new guidelines, international data transfers, and global development of privacy laws and regulations, organizations had to develop data policies that could keep up with the rapid pace of these changes.

So, what have we learned over the last four years, and what’s on the horizon?

GDPR 4 Years Webinar

Data transfers in the spotlight

Like the EU Data Protection Directive before it, one of the goals of the GDPR is to ensure the protection of EU citizens’ data when it’s transferred outside of the EU. And like Schrems I, the CJEU’s decision in Schrems II brought with it new considerations for organizations. It’s been almost two years since that decision but in the last year the European Data Protection Board (EDPB) also issued its final version of recommendations of supplementary measures, and the European Commission adopted and released its new Standard Contractual Clauses.  

With the release of these documents, organizations have been continuing to prioritize the steps laid out by the EDPB, working both internally and with customers, partners, and vendors to ensure compliance. 

The work is against an ever evolving backdrop. Data protection authorities (DPAs) are highlighting their Schrems II compliance expectations through investigations and enforcement actions. And the recent announcement of an agreement in principle for a new Trans-Atlantic Data Privacy Framework may provide further certainty for privacy professionals on EU-US data transfers. What is certain is that EU data transfers will continue to rank highly on companies’ and regulators’ lists of priorities for the year to come.  

Operationalizing GDPR through guidance

The GDPR’s requirements are laid out across 11 chapters and 99 articles. To help organizations comply, the EDPB and national DPAs release guidance on key compliance areas.  

In the last year, the EDPB has updated its former guidance on the concepts of controllers and processors, to take account of the dynamic relationships and roles in today’s modern world. It also adopted new guidance to help businesses handle data breaches, and the types of factors to consider during risk assessments. National DPAs weighed in on issues like Privacy by Design and artificial intelligence. 

Down the road, we can expect to see finalized guidance on data subject rights as well as other topics, like legitimate interests as a legal basis. 

GDPR in a global context

Since agreement on the GDPR was reached in 2016, there has been a proliferation of new privacy laws around the world. The influence of the GDPR is seen within these laws, with many taking a similar approach to regulating data protection and privacy. 

In the US, Utah and Connecticut recently became the fourth and fifth states respectively to pass comprehensive privacy laws in the absence of a federal law. Quebec modernized its law through Bill 64. In Brazil, the LGPD’s enforcement provisions took effect. China’s PIPL and DSL were finalized and entered into force, as did Japan’s APPI amendments. Federal laws were also passed in Saudi Arabia and the UAE, whilst South Africa, Rwanda, and Botswana all had laws take effect. The list can go on and on!  

The commonalities in requirements are many. However, as they say, the devil is in the detail, and mapping between these requirements remains an important task for organizations. 

And there are no signs of slowing down either. The UK announced a new Data Reform Bill . Israel is looking to amend its four-decade-old law. Thailand’s first Data Protection Act comes into force next month, while India’s debate on its own law continues. For businesses operating globally, staying agile is important as ever. 

More data laws are coming

The EU’s Digital and Data Strategy is on the move. The AI Act, the Data Act, the DMA, the DSA, the DGA. Running alongside is an increased desire to enhance regulation of cybersecurity, and that’s where we see proposals for NIS2 and Digital Operational Resilience Act (DORA). And though initially proposed in 2017, agreement on the proposed ePrivacy Regulation seems to also be edging closer.  

These are some of the new abbreviations privacy professionals are including when speaking on issues of data protection and privacy. As more laws regulate both the use of personal and non-personal data, as technology continues to evolve, and with data being an increasingly valuable resource, organizations are thinking holistically about their data governance programs, to not only comply with these laws, but drive business value. 

Industry experts reflect on 4 years of GDPR

Take a look at what privacy leaders across industries have to say about the past four years of GDPR and where the future of data privacy looks to go.



Looking back on the past 4 years of GDPR

Learn more about what GDPR has brought about for Europe and the rest of the world at the webinar “4 Years of GDPR: Birthday reflections and wishes”. A panel of industry experts and privacy leaders will reflect on how the privacy and data protection landscape has changed since 2018, and look to what the future holds in store. Register for the webinar here.

4 Years of GDPR OneTrust Webinar

You Might Also Be Interested In


NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU adopts new ESG disclosure rules

NOVEMBER 9, 2022

3 steps for mitigating the impact of ransomware attacks through data discovery

NOVEMBER 8, 2022

Department of Justice: 2022 Updates to Corporate Compliance Guidance 

NOVEMBER 3, 2022

CCPA regulations: A timeline of amendments

NOVEMBER 3, 2022

The Ultimate Guide to PIPEDA Compliance

NOVEMBER 1, 2022

Thousands of RiskRecon Grades Now Available in the OneTrust Third-Party Risk Exchange

OCTOBER 31, 2022

US Privacy Masterclass: Your four essential questions answered

BackToTop
Onetrust All Rights Reserved