In the ever-evolving digital landscape, data privacy has emerged as a paramount concern for individuals, organisations, and governments alike. Five years ago, the European Union (EU) took a significant step towards safeguarding user data with the implementation of the General Data Protection Regulation (GDPR).
The GDPR, which came into effect on May 25, 2018, brought about a seismic shift in the way companies collect, process, and store personal data. Its broad scope encompassed not only EU-based organisations but also any entity globally that dealt with the personal data of EU citizens. From small businesses to tech giants, all were compelled to re-evaluate their data protection practices and ensure compliance with the comprehensive framework of the GDPR.
This landmark legislation aimed to empower individuals with greater control over their personal information and imposed strict obligations on businesses handling such data. As we mark the fifth anniversary of the GDPR’s enforcement, it is an opportune time to reflect on its impact. We asked the experts how GDPR has affected their field…
Colum Lyons, CEO and Founder of ID-Pal
“Five years on from the introduction of GDPR and there is still a long road to go. Even this week, Meta has been hit with a record 鈧1.2 billion fine by the Irish Data Protection Commission (DPC) for violating a GDPR rule, proof that severe consequences are waiting for businesses if the right GDPR-compliant measures are not in place.
鈥淐ustomers鈥 personal data must be carefully managed and a lot of organisations still struggle to do this. As more and more industries are being asked to verify their customer identities, this is even more critical to get right when verifying identities as part of Anti-Money laundering (AML) or Know your Customer (KYC) processes. The onus is on the organisation to capture, verify and store their customer鈥檚 personal data securely.
鈥淚dentity verification processes that use document verification, alongside biometrics and database means a solution meets regulatory guidelines in a more robust way, making the process more complex for fraudsters to outwit but makes the journey seamless for users.鈥
Mike Ferguson, VP EMEA at Redpoint Global
鈥淒espite an ever-evolving business landscape, on its fifth anniversary GDPR is still highly relevant. This week鈥檚 record fine imposed on Meta for breaching GDPR regulations reminds us of this.
鈥淭hese regulations have prompted organisations of all shapes and sizes to up their game in terms of data stewardship and responsibility, whilst encouraging consumers to think more about how their data is handled. Businesses are now fostering a new sense of responsibility towards their customers and embracing an unspoken contract of trust with consumers, recognising the importance of a meaningful value exchange.
“This has led to GDPR installing a culture of enhanced data management, raising expectations for companies to safely and properly handle data. Although the regulation has been criticised for fearmongering with huge fines, the changes have been beneficial, raising standards is never a bad thing.
鈥淔inally, consumers are now better informed, meaning they are more capable of choosing which brands they want to interact with. Companies cannot ignore this growing awareness and must continue to responsibly manage data. Going back five years, there鈥檚 nothing I would change in light of this success, and businesses would do well to continue with this momentum.鈥
More from News
- World Quantum Day 2026: Experts Reflect On Industry Developments This Year
- 79% Of UK Workers Fear Losing Their Jobs This Year – And Its Not AI Related
- Scail Launches To Help Regulated SaaS Businesses Navigate The AI 鈥淧erfect Storm鈥
- X Is Taking A Slightly Different Approach To Managing Click Bait Content – Will It Work?
- AI Is Meant To Reduce Workloads, Why Is It Still Causing Workers Cognitive Fatigue?
- Apple Wins Q1 As Smartphones Shipments Go Up And Competitor Sales Go Down
- Can Travellers Expect Lower Flight Prices After The Ceasefire?
- Gen Z Consumers Face The Highest Online Fraud Risks – How Are They Staying Protected?
Damien Brophy, Senior Vice President EMEA at ThoughtSpot
“Since coming into force five years ago, the GDPR听framework has sought to give people and businesses security and听protection. The reality has been a state of flux with little enforcement of the听regulation, the long-standing business challenge of how to effectively tap into the power of听data听whilst remaining compliant and global friction with听data听laws and standards so different across the world.
“Businesses now have the added layer of complexity with The Data听Protection听and Digital Information Bill currently passing through parliament, which is an update to UK听GDPR. While sentiment around the new bill is mixed, business leaders need to see this impending change as a positive move in allowing the UK to become a true playground for innovation. This is due to the changes in the barriers to entry for听data听use and听data听manipulation lowering, giving businesses the opportunity to engage with their听data听more freely and use it to inform growth.
“What is crucial now is that businesses start considering the challenges this will bring in terms of driving innovation, lowering the barriers to data听entry but still protecting people鈥檚听data. There will be a balance required in governance and agility. And leaders also need to push the UK Government to pass this new bill through parliament quicker as to date, progress has been slow and this will soon start impacting the true business innovation that can be taking place in the country.”<
Charles Southwood, Regional VP and GM 鈥 Northern Europe and Africa at Denodo
“The fifth anniversary of GDPR听provides us with an opportunity to reflect on how far we鈥檝e come when it comes to protecting personal听data. However, the reality is that, in many cases, there is still much to be done.
“Despite the stringent data听policies, strict record keeping and time limits on how long听data听can be stored that听GDPR听brought into force, we continue to see many organisations struggle to ensure the simple and transparent management of personal听data. One of the main hurdles they face is that听data听is usually distributed in different and separated repositories throughout an organisation; different locations, different formats & protocols and different permissions.
“With The Data Protection and Digital Information Bill 鈥 an update to the UK听GDPR听– currently passing through parliament, many organisations will seek out modern technologies to get a handle on听data听privacy. One such technology is听data听virtualization. In the context of听GDPR, a key feature of听data听virtualization is that no听data听is moved and copied. This avoids multiple copies being created, where security can be an issue and where the original context and permissions of the听data听capture, can be lost. Likewise, by providing easy and complete access to all repositories, through a single information layer,听data听virtualisation ensures that听data听can be traced and audited in real-time, no matter where it is stored, and without the need for duplication. It facilitates compliance with current legislation whilst enabling organisations to protect their听data.”
Ben Kartzman, COO at Mediaocean
鈥淭he last five years, since the introduction of GDPR, have seen the marketing landscape change drastically. Consumers have become much more savvy in regard to their privacy rights and advertisers have experienced massive signal loss. But it wasn鈥檛 just regulation that contributed to data deprecation. Other factors in play include Apple鈥檚 policies around app tracking and Google鈥檚 plans to disable third-party cookies.
“Looking ahead, it鈥檚 clear that the best path forward for brands is to develop first-party data by building direct relationships with customers and obtaining consent to communicate with them. On top of that, marketers can work with platforms that have their own first-party data and ability to use it for targeting ads. And there are also independent ad servers that can use first-party data and probabilistic determinants to address identity resolution.
“Above all, marketers need to invest in advanced creative strategies to entice consumers to engage with their brands. With constraints around audience targeting, the most incremental lift for advertising campaigns will come from messaging. This is a big area of focus for advertising technology through the use of AI and automation to create personalised ads at scale.鈥
Andy Teichholz, Global Strategist, Compliance & Legal at OpenText
“After half a decade of GDPR, businesses are facing a different world when it comes to managing personal听data. One of the biggest topics in many industries right now is the growing demand for transparency and accountability from a more knowledgeable consumer base.
“While fines can be staggering (we are approaching a little more than 1,600 individual fines totaling almost three billion euros for GDPR听violations), reputational management and competitive differentiation are still driving boardroom conversations and informing the investments they make in terms of听data听management technology.
“Technology is advancing and there are powerful options to improve data听compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage and protect all听data听appropriately throughout its lifecycle. Also, while subject rights requests, especially听Data Subject Access Request (DSARs), are becoming more commonplace, many organizational fulfillment activities today still rely on manual processes that overwhelm their already constrained resources. To meet mandated deadlines, teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, review, redaction, and production capabilities) to automate and accelerate the fulfillment process 鈥 especially for high effort requests.
“With technology innovation, a much stronger data听privacy strategy can help operationalize key privacy processes, guard against听GDPR听breach and build more trusting customer relationships. At a time when customer trust in businesses is fragile, we should use the anniversary of听GDPR听to reflect on how we can build better, more integrated听data management strategies for the next half decade and beyond.”
Helena Nimmo, CIO at Endava
鈥淕DPR听regulation听has long been criticised for being weak and lacking in enforcement. But with new bills passing through parliament and movements towards tightening听regulation, companies will have stricter standards and guidelines to adhere to. We’re on the cusp of a new era of technology and businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony.
“Digital transformation鈥 has been the buzzword of the decade, but it鈥檚 played out, long out of touch with business needs and 鈥 crucially 鈥 inevitable market changes. With new technologies such as ChatGPT emerging and presenting fresh privacy challenges, this will only intensify further. Instead of undertaking a business overhaul, organisations should take a more iterative approach: 鈥榙igital acceleration鈥. Digital acceleration allows for more agile delivery that doesn鈥檛 undermine longer-term strategic thinking or changes to regulatory frameworks, like what we鈥檙e seeing now.
“Applied to GDPR, digital acceleration allows leaders to safeguard their organisations while allowing them to innovate with more flexibility 鈥 a key challenge when looking at mitigating risk and ensuring compliance. As people become more aware of their听data听than ever, businesses have a responsibility to their customers, employees and other stakeholders to make decisions with privacy front of mind. Failure to prioritise is not only a compliance and financial risk, but a significant reputational one, too.
“While there are some natural privacy concerns around advancements in technology such as AI, we’re actually seeing these innovations being used as part of the solution. AI is increasingly becoming a crucial pillar of many organisations’ data听strategies due to its ability to manage and protect听data听with accuracy whilst reducing human error.鈥
James Evans, CPO and VP of Legal, TripleLift
鈥淏y and large, GDPR has brought a level of uniformity for data privacy across Europe that has helped businesses to comply at scale. But regulators could still do more to enable progress. Contextual, for example, is promoted as the privacy-centric targeting method of choice. But contextual campaigns are difficult to measure in the absence of an identifier and basic tracking 鈥 and what you can鈥檛 measure in digital advertising, you cannot effectively sell and demonstrate ROI.
“Regulators should encourage publishers and advertisers to adopt privacy-respectful solutions like contextual targeting with basic measurement and first-party data solutions. Setting accepted minimum compliance criteria 鈥 with protection against harsh enforcement for minor legal infractions 鈥 would assist advertisers and publishers to move past the third-party cookie era.
鈥淭he anniversary is also interesting due to the current rapid rise of artificial intelligence (AI) tools and the associated privacy challenges. The core GDPR principles are well placed to address the use of personal data in AI technologies; albeit there will be practical challenges around transparency and user controls where huge amounts of personal data are processed using very complicated technologies. This poses some fascinating questions around how privacy regulations should develop in the future. Perhaps certain limited exceptions are required to foster this exciting technology, rather than introducing additional privacy regulation.鈥
More from News
- World Quantum Day 2026: Experts Reflect On Industry Developments This Year
- 79% Of UK Workers Fear Losing Their Jobs This Year – And Its Not AI Related
- Scail Launches To Help Regulated SaaS Businesses Navigate The AI 鈥淧erfect Storm鈥
- X Is Taking A Slightly Different Approach To Managing Click Bait Content – Will It Work?
- AI Is Meant To Reduce Workloads, Why Is It Still Causing Workers Cognitive Fatigue?
- Apple Wins Q1 As Smartphones Shipments Go Up And Competitor Sales Go Down
- Can Travellers Expect Lower Flight Prices After The Ceasefire?
- Gen Z Consumers Face The Highest Online Fraud Risks – How Are They Staying Protected?
Aviran Edery, SVP & GM Marketplace, Verve Group
鈥淕DPR signalled a shift in the digital sphere that is being felt to this day. It remains one of the clearest and most concise sets of privacy regulations and inspired other countries to develop their own guidelines.
“The loss of cookies is just the next phase of the privacy-centric future advertisers face and it鈥檚 imperative they鈥檙e not using identifiers that are unlikely to outlast the next set of regulations. Quality contextual data will enable them to tailor their ads to high-value audience segments, avoiding costly fines in the process.
“The winners of the new era of advertising will be marketers who put their pedal to the metal in future-proofing their approach, trialling advanced tools based on solutions that take into account the direction the legislative winds are blowing and put consumers鈥 data privacy first.鈥
Paul Thompson, Country Manager, Seedtag
鈥淕DPR was a monumental undertaking. Every line was debated and detailed by 27 countries鈥 worth of expertise, and the hard work has paid off, as it is now the template for various privacy regulations rolling out around the world. Though there have been stumbling blocks around implementation costs and the still work-in-progress question of consent frameworks, we can thank GDPR for a more transparent data ecosystem that gives consumers control over their information and holds companies accountable for its misuse.
鈥淏ut as robust as GDPR has been, it has not been able to keep up with the breakneck progression of generative AI, which has further compounded concerns of data provenance and usage rights. The complexity of the cookie era is a drop in the ocean compared to the sheer scale of data swallowed by machine learning models, along with the dire consequences of the unchecked internal biases and 鈥渉allucinations鈥 these models can produce. With so much at stake, we cannot afford for a 鈥淕DPR for AI鈥 to take as long at the drawing board as GDPR did.鈥
Lucia Mastromauro, UK Managing Director, Acceleration, A WPP Company
“The GDPR changed marketers鈥 relationship with data; AI is rebuilding it for the better.
鈥淕DPR set a good base and much needed standards for privacy in the digital advertising industry, meaning the established players had to evolve significant parts of their solutions to operate within aprivacy-first paradigm. Now new AI capabilities have supercharged industry players and enabled marketers to take advantage of privacy-centred solutions at scale.
鈥淒ata modelling powered by machine learning, for instance, can plug the gaps left by limited data collection, while predictive AI can use businesses鈥 historical and observable data to forecast customer behaviours. With these capabilities, marketers are able to make even more impactful, data-driven decisions that boost a business鈥 bottom line. Responding to GDPR has been somewhat painful at times, but a highly positive journey as a whole, and it will be exciting to see how AI will continue shaping the industry鈥檚 approach to upholding data privacy.鈥
Pierre Naggar, Sales Director, MINT, UK
鈥淔ive years on, GDPR has radically changed the way consumers think about how their data is collected and used, bringing data privacy into the cultural conversation. As a result they have also become more aware of their data protection rights.
“In this sense, it has been tremendously effective. Marketers, however, are yet to reach such a revelation. Prior to GDPR, when audience data was free and at scale, there was a flourishing of audience-related platforms. Since GDPR enforced a much stronger approach to accountability of the data controller and user privacy and targeting, marketers are struggling with an array of proposed privacy solutions that are still in flux. This is partly due to the fact that marketers are hoping to find an alternative with the same targeting precision they have been used to with third-party cookies and a wealth of audience data.
“The privacy-first era of digital marketing heralded by GDPR is no longer driven by user identification. Savvy marketers should focus on unlocking the value of troves of under-utilised campaign data which is completely accessible through non-cookie based, privacy-friendly methods. This will allow them to build advertising equity, providing the means to achieve better data governance and greater awareness of how to utilise it, while respecting the fundamental rights and freedoms of consumers, attain actionable insights and future-proof company growth.鈥
Chris Hogg, Chief Revenue Office, Lotame
鈥淭here鈥檚 no denying the positive impact that the EU鈥檚 landmark legislation has had on accountability in the digital ecosystem. The difficulty now is getting the word out that it鈥檚 safer than ever to tap into third-party data, a vital source of knowledge that has been sidelined by the post-GDPR, first-party data goldrush.
“The maturity of the privacy-first data market in Europe makes it well positioned to handle complex questions being raised over the provenance and ownership of data used by generative AI. Regulators are already matching bark with bite 鈥 as seen in the temporary ban of ChatGPT in Italy 鈥 and I expect there will be a AI legislation taking shape by the year鈥檚 end.鈥
Daniel Pike, Chief Product Officer at Covatic
鈥淏y setting a benchmark in any discussion around privacy guidance, the GDPR has inspired other legislation with comparable concepts and definitions 鈥 such as the CCPA and proposed American Data Privacy and Protection Act in the US 鈥 to protect against the same harms. It has also propelled companies to invest and innovate in privacy-enhancing technologies, meeting the expectations of consumers, who have become more aware of their rights when it comes to data privacy and its potential issues.
鈥淗owever, there seems to be a growing sense of complacency around data privacy in some areas, fuelled perhaps by a perception that enforcement will only apply to the most egregious of breaches. Five years on, businesses, large and small, must continue to value the protections afforded by the GDPR 鈥 and be prepared for future changes, as legislation evolves and adapts to changing culture, mindsets, and dynamics.
鈥淢oving forward, we鈥檒l likely see privacy credentials becoming a competitive differentiator, as companies recognise the importance of going above and beyond what is required by current legislation; raising public awareness, resetting norms and expectations, and creating space for further protections.鈥
Lorna Handley, VP, General Counsel, InfoSum
Looking back
鈥淟ooking back over the last five years, it鈥檚 fair to say the GDPR has had a significant impact and embedded a culture of privacy by design. The GDPR has increased attention on the use of personal data, not just in the EU but worldwide. More and more organisations are taking the initiative to improve their data collection processes, rather than risk a large fine and, more importantly, their reputation. Equally, we continue to see legislators in other jurisdictions follow suit and focus on the protection of personal data.
鈥淒espite this movement, enforcement actions against big tech players have shone a light on issues such as transparency and the legal basis for processing personal data, particularly in relation to online behavioural advertising. Furthermore, harmonisation remains a challenge. We still see differing interpretations by regulators across the EU, and the number and level of fines have varied between member states.鈥
Looking ahead
鈥淟ooking ahead to the next five years, one of the major challenges to privacy regulation is likely to come from the new wave of artificial intelligence technology. While the GDPR is principle-based legislation and should be flexible enough to adapt to new technologies and their applications, it will be interesting to see how regulators respond.
鈥淕lobally, the growing strength and scope of data protection regulation, combined with increasing awareness and concern among consumers about how their personal data is used, will see more countries outside the EU making data protection a primary focus over the next few years. The UK is likely to diverge away from the GDPR as it seeks to achieve greater autonomy from the EU; however, inevitably, this must be balanced with ensuring UK businesses can still operate effectively in European jurisdictions. In the US, the current patchwork of state-by-state regulation is presenting challenges, making it one to watch.鈥
