The GDPR has pushed EU businesses to implement stricter data protection measures Credit: Getty Images / akinbostanci

The General Data Protection Regulation (GDPR), the landmark European Union (EU) law designed to protect citizens’ personal data and privacy, is celebrating its sixth year this week.

Since the EU’s GDPR came into effect on 25 May 2018, it has brought significant changes in how personal data is handled and protected. GDPR is widely acknowledged for elevating the standards of data protection across the EU.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Related Company Profiles

View all

One of the major impacts of GDPR has been giving citizens more control over their data, including the right to access, correct, delete, and transfer their information.

GDPR has also compelled EU businesses to implement stricter data protection measures, such as appointing data protection officers, conducting data protection impact assessments, and keeping records of data processing activities. 

GDPR and cybersecurity

GDPR requires companies to report certain types of data breaches to relevant authorities within 72 hours and, in some cases, notify affected individuals, promoting transparency and accountability.

The regulation also introduced substantial fines for serious non-compliance, which can be as high as 4% of a company’s annual global turnover or €20 million ($21.6m), whichever is higher.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

However, at the rate that the cyber landscape is evolving, some experts have questioned whether GDPR is enough to protect companies.

Steve Bradford, senior vice president EMEA at cloud security company SailPoint, says that organisations need to be proactive if they want to keep ahead of evolving threats. 

“In the six years since GDPR’s launch, the cyber landscape has evolved at breakneck speed,” Bradford says. “From targeted social engineering to the rise of deepfakes, cyber criminals are using increasingly sophisticated tactics to steal sensitive information.”

“GDPR paved the way for the increased importance of regulation to help companies protect their data But to keep on top of evolving threats, organisations need to be on the front foot,” he says. 

Bradford says that the stakes are too high for companies to be waiting to be led by government regulation or red tape. 

“Operational downtime, customer loss, reputational damage and system restoration that follow any data breach all come with a major price tag – and headache – for businesses,” he adds. 

AI and GDPR

The rise of AI and GenAI has created challenges for ensuring the technology’s data privacy and protection under the GDPR. The complexity of AI algorithms and the rapidly changing nature of AI learning processes require continuous updates to AI practices and regulatory frameworks.

GlobalData’s Thematic Research: Data Privacy report, defines AI as a software-based system that uses data inputs to make decisions on its own.

The EU’s GDPR states that individuals have the right not to be subject to a decision that is based solely on automated decision-making or without human intervention.

The law also requires organisations to explain how they use personal data in AI systems that have a significant impact on individuals.

Some commentators have stressed that the complexity of AI and the difficulty in explaining its decisions may ultimately prevent European companies from using advanced AI systems for fear of not being compliant with GDPR.

In April, OpenAI’s ChatGPT was hit with a GDPR complaint from Austria’s Data Protection Agency (DPA) and privacy activist group NOYB

The complaint stated that ChatGPT broke GDPR by providing false information about public figures and not allowing those figures to access or erase the data it has harvested about them. 

“Although GDPR has allowed for significant strides in privacy and data protection innovations, the regressive algorithms that are designed into many aging AI systems, particularly those rooted in deep learning concepts of 2012, pose substantial risks to data integrity,” says Davi Ottenheimer, vice president of trust and digital ethics at Sir Tim Berners-Lee’s Inrupt.

Ottenheimer said that these systems could potentially violate the principles of GDPR if not carefully managed.

“The current state of the 2016 law already should have been treated as a warning not to build any system that only can be powered down instead of reprogrammed: while GDPR offers mechanisms to halt data processing, it more importantly sets the stage for nuanced requirements of AI systems to do safe data analysis and learning,” Ottenheimer adds.

The rise of AI has promoted a closer integration of data protection measures as mandated by GDPR, which may have put a stricter look on the development of more transparent, accountable, and secure AI systems.