Four years on from the entry into force of the GDPR and the privacy landscape is still as complex as ever. The past 12 months have continued to be wrought with action and a heightened sense of privacy awareness. Developments in the Schrems II case and the privacy implications of the Coronavirus have highlighted a new level of compliance considerations for organisations to navigate.
Many companies spent considerable time and resources in the run up to May 2018 on adapting their systems and processes toward GDPR compliance. Four years later, were all these changes necessary? Where should controllers have gone further from the outset? And what should change given the abundant post-2018 guidance and enforcement from DPAs?
To combat foreign government surveillance, European data protection regulators are taking an increasingly hardline stance on GDPR enforcement that could drastically change the internet. Some argue that a more pragmatic, “risk-based approach” could help avoid severe disruption. But a recent decision against Google suggests those people are losing the debate.
Four years on from the coming into effect of the General Data Protection Regulation (GDPR), it’s time to take stock: Has the GDPR truly improved data protection? How have organisations implemented the law’s requirements? And what questions remain unanswered after nearly half a decade of GDPR?