GDPR (short for the General Data Protection Regulation) became enforceable on May 25, 2018. While the legislation was completed in April 2016, many organizations were scrambling to become compliant before then.

Around the same time, data privacy was a hot topic with the controversial Cambridge Analytica going out of business in early 2018. This made data privacy in general, and GDPR in particular, one of the hottest topics in tech. There were tons of questions about how GDPR would be enforced, and what would change for businesses and consumers.

In the years since GDPR became enforceable, a lot has changed and many questions have been answered. Here, we'll look back at how GDPR came about, what it intended to change, and what it has changed.

How GDPR Came About

In 2012, the European Commission proposed a comprehensive reform of the European Union's (EU's) 1995 data protection rules. The idea was to modernize legislation to address the privacy challenges in a world with social media, analytics, and super cookies.

After about four years of rigorous processes and drafting of legislation, GDPR officially came into existence on April 14, 2016. It replaced the 1995 Data above Protection Directives. Because GDPR represented such a drastic shift, businesses were given plenty of time to adjust. GDPR did not become enforceable until May 25, 2018.

Understanding the Objectives of GDPR

In essence, the GDPR modernized rules that were established in 1996, but that doesn't tell us much. To paraphrase, the objectives of GDPR are:

• Establish rules related to "natural persons" regarding processing and free movement of their personal data

• Protect the rights and freedoms of "natural persons" as it relates to the protection of personal data

• Ensure free movement of personal data within the EU is neither restricted nor prohibited when it comes to protecting "natural persons" in regards to the processing of personal data

"Natural persons" is an important phrase here. Natural person = human being. Not a corporation or legal entity.

Who is Affected by GDPR?

GDPR affects almost every company in the EU or doing business in the EU. According to CSO, the following are organizations that must comply with GDPR:

• Companies physically present in the EU

• Companies that don't reside in the EU, but process the personal data of those living in the EU nations

• Companies that have more than 250 employees

• Companies that have less than 250 employees, but process data that can affect consumers' rights and freedoms. Almost every company falls under this category.

In a nutshell, any big company (> 250 employees) and most small companies that operate in the EU need a GDPR strategy.

The Difference between Data Processors and Data Controllers

There are two classifications an organization may fall under when it comes to GDPR.

1. Data Processors

2. Data Controllers

A controller can be an agency, individual, public authority, or organization that decides the means and purpose for processing personal data. The processor is an individual, organization, agency, or public authority that helps the controller process personal data.

A processor is obliged to protect, and maintain the personal data of individuals and how it is processed. The processor is liable if there's any breach in the organization of data.

Processors can either be in-house (i.e., part of the controller organization)or outsourced. A controller must ensure every contract they have with processors complies with GDPR terms.

Because different regulations apply to each, it is important to understand if your organization is a processor, controller, or both.

Personal Data and GDPR

Personal data protected by GDPR covers a wide range of information related to an identified individual in the EU including:

• Address

• Phone number

• Names

• Pictures

• Genetic data

• Biometric data

• IP address

• Race or ethnic data

• Gender

• Political opinions

What's Changed?

The idea behind GDPR is that EU citizens control their data. Currently, they are more involved in decision-making regarding who uses their data and how they should be used. Because of the broad reach of the legislation, it has citizens of the web outside the EU as well.

GDPR has helped create a bit more transparency around data breaches. Organizations must inform the appropriate data protection body and affected individuals immediately when they notice any compromise of EU consumer data.

Additionally, consumers have easier access to their data thanks to GDPR. As a result, they can have a better understanding of how their data is used and processed

Organizations now have to be more careful with consumers' data than before. They are required to inform users of how their data will be used — and provide opt-outs from mailing lists more frequently and prominently.

Individuals in the EU now can even tell organizations to delete the data they have on them. This is where the right to erasure comes into play. The right to erasure grants consumers the right to request organizations to permanently delete their data. Organizations that fail to comply with this erasure request will be fined under GDPR legislation.

Only EU citizens are technically protected by GDPR. However, as you may notice with more prevalent cookie notifications, changes related to GDPR impact those outside the EU, too. This can be attributed to the difficulty of serving one site to the EU and another to the rest of the web. It becomes easier for organizations to simply grant many of the same benefits to all users.

Sure, GDPR only applies to EU citizens if we go by the book. However, the past 18 months have shown that different websites have changed for users outside the EU.

Some Businesses Abandoned the EU market

In some cases, firms felt GDPR would be too much to handle, thus limiting their ability to run a profitable business in the EU. As a result, some businesses entirely exited the EU market. For example, Digiday reported that two U.S. advertising firms, Drawbridge and Verve, discontinued EU operations because of GDPR.

Businesses Have Paid Some GDPR Fines

The Data Protection Commission of Ireland has concluded two significant inquiries involving major tech companies in 2023. In the case of Meta Platforms Ireland Limited, a substantial fine of €1.2 billion was imposed for GDPR infringements related to data transfers. This decision, made after an extensive investigation, reflects strict enforcement of GDPR, particularly concerning data transfer practices to the US.

In another case, TikTok Technology Limited was fined €345 million for GDPR violations involving the processing of personal data of child users on the TikTok platform. This inquiry scrutinized TikTok's platform settings, age verification processes, and transparency obligations. These fines highlight the rigorous application of GDPR in protecting personal data rights.

Companies Have Data Protection Officers Now

The GDPR mandate for organizations to appoint Data Protection Officers (DPOs) has had a notable impact on privacy leadership roles, especially in the European Union. Recent data indicates that 67% of privacy leaders in the EU also serve as DPOs, demonstrating the integral role of DPOs in ensuring GDPR compliance.

This contrasts with the United States, where 39% of privacy leaders hold the DPO position. This difference highlights the varying emphasis and approaches to data protection in the EU and US, underlining the GDPR's influence in shaping privacy roles within organizations

Organizations Still Struggling to Keep Up

A 2023 survey highlighted the challenges faced by companies in the EU and UK in adapting to the GDPR and Data Protection Act 2018. Approximately 55% of businesses found it difficult to meet new or evolving requirements of these data privacy laws. Additionally, 45% of respondents reported challenges in increasing their budget to comply with these changes.

A study published on ScienceDirect in 2022 investigated the impact of the GDPR on web traffic and user engagement across approximately 5,000 web domains in Europe and the United States. The research found an average long-term traffic reduction of about 15% post-GDPR implementation, with both paid and unpaid channels experiencing significant drops.

A Call for Comparable U.S. Legislation Begins

On the other side of the Atlantic, there has been a call for legislation comparable to GDPR. Interestingly, some of the loudest proponents of such legislation have been big tech executives. Tim Cook, Apple's CEO, was one of them.

He called on the U.S. Data Protection Agency to introduce a U.S. form of GDPR to help users. Additionally, early this year, Facebook CEO Mark Zuckerberg talked about privacy-focused internet. However, this was after Facebook was fined $5 billion (USD) for breaching privacy.

Final Thoughts

GDPR has changed a lot over the last few years. However, we can expect more to change in the coming years. Data privacy is a major issue. GDPR is just one example of that holding. We can expect legislation in the U.S. to bring more changes in the future.

As an IT pro, you need to stay up to date with these changes and implement solutions. GDPR changed a lot, but it won't be the last set of major changes in data privacy.