Think back to 2018, and for two years you’ve been working toward compliance with a new regulation called the General Data Protection Regulation. How did you feel? Most would say that at first the GDPR felt overwhelming; it’s strict and all-encompassing requirements placed a considerable burden on organizations – many of which had little idea where to start. Fast forward five years and the GDPR has been at the heart of some of the biggest privacy headlines in the world and changing the way businesses handle personal data. 

With the anniversary of the GDPR’s entry into effect on May 25, 2023, comes an opportunity for us to reflect on the past five years and to look to the future and how GDPR might adapt to a rapidly evolving digital landscape. Visit the GDPR turns 5 celebration page to register for a range of webinars hosted by our Privacy Connect Chapter Chairs or join us on LinkedIn for a live session with Odia Kagan, reflecting on five years of the GDPR. 

Explore this page to get more expert views on the GDPR’s past, present, and future as well as an infographic busting some of the most common GDPR myths. And, if you are looking for GDPR compliance tips, look no further than our “Getting started with GDPR compliance” eBook.

GDPR past, present, and future

The GDPR signaled a landmark moment for data protection and privacy law on a global level. Its origins can be traced back to the 1940s and concerns regarding individual privacy rights. The GDPR replaced the Data Protection Directive 1995 and greatly increased the scope and the data protection requirements for businesses covered by the regulation.

Due to its extra-territorial scope, the GDPR continues to have a significant impact on businesses all over the world. Transparency, data minimization, and the right to be forgotten are just a few of the important concepts that businesses must respect or face penalties of up to €20 million, or 4% of global annual turnover, whichever is larger. The GDPR has encouraged the development of comparable data protection laws in other nations since it was implemented, including the California Consumer Privacy Act (CCPA) in the United States and in many jurisdictions in the Middle East.

With AI and similar technologies becoming a greater part of our daily lives, the GDPR will continue to play an important part in protecting the personal data of subjects in the EU. And, while data protection law is far more prevalent than it was in 2018, the GDPR will continue to play a crucial role in shaping global data protection standards and influencing the development of new legislation in other countries.

Continuing to keep GDPR awareness top of mind is essential for several reasons. First, businesses must ensure they understand their obligations and take the necessary precautions to safeguard the personal information of their clients and workers. Second, it increases confidence in the digital economy by empowering people to understand their rights and take charge of their personal data. Finally, increasing GDPR awareness contributes to the creation of international privacy standards that represent the ideals of the linked digital world we live in and help establish a global culture of data protection.

GDPR myths vs. reality

With five years of the GDPR in the rearview mirror, there are several beliefs about the GDPR that have established themselves as fact. However, on closer inspection many may not ring as true as some might have you believe.

For example, some might say the GDPR only applies to European companies. However, it actually applies to any organization that processes the personal data of EU citizens, regardless of whether the processing takes place within the European Union or not. If you offer goods, or services, or monitor the behavior of individuals in the EU, the GDPR will apply.

It is easy to think GDPR compliance is a one-time task. But in reality, GDPR compliance is an ongoing process that requires continuous monitoring, updating, and improvement. Organizations need to regularly assess their data processing practices and maintain up-to-date records to demonstrate accountability with the GDPR.

There is also a misconception that the GDPR hinders innovation. While the GDPR does introduce strict rules and requirements, it doesn't necessarily hinder innovation. In fact, requirements such as data protection by default and data protection by design encourage the development of privacy-enhancing technologies and generally promote a more transparent and responsible approach to data processing that can support innovation.

Download the infographic above to see the reality of the GDPR’s most common myths. 

Getting started with GDPR compliance

Some companies have been building and maintaining a GDPR compliance program for the best part of seven years, but others are just starting on their journey toward compliance. While the GDPR is extensive there are a few key areas that should be addressed, and this guide gives you the perfect starting place. 

No matter where you're situated, you must abide by the GDPR requirements when handling the personal data of EU citizens, ensure it is managed with care and transparency and only keep it as long as is required.

A good place to start is to develop a privacy and data protection program to help you comply with the GDPR’s standards. This entails having transparent policies, ensuring the security of your technology, and honoring data subject rights. Additionally, you must have processes in place for making the correct notification in the event of a data breach and keep up to date with evolving regulations and cutting-edge technology in order to remain GDPR compliant. Download the Getting Started with GDPR Compliance eBook to learn about GDPR in greater detail and how the OneTrust Privacy & Data Governance Cloud can help. 

Follow OneTrust on LinkedIn to keep up to date with latest resources to help you on your journey toward GDPR compliance as well as the latest privacy and data protection news.