Five years of GDPR — the data compliance state of play

Five years on from the inception of the EU General Data Protection Regulation (GDPR), we explore what businesses need to consider when it comes to compliance

On the 25th May 2018, the EU GDPR came into force, forcing organisations across the European Union to rethink how they were managing and protecting customer data. In an increasingly digitised business world, data privacy and protection remain paramount to the long-term success of firms of all sizes and sectors.

With big tech corporations notably Meta in the past week continuing to be caught out and fined billions under GDPR rules, no business can afford to be complacent when it comes to compliance.

“GDPR’s introduction five years ago was an important step for data privacy in Europe, needed to keep up with technology’s rapid sprawl and privacy concerns that had plagued consumers. With so much corporate and personal data moving between systems, regulating this exchange was inevitable,” said Gert-Jan Wijman, vice-president EMEA at Celigo.

However, rules differing across Europe, combined with the challenge of complying with new laws and updates, have often made compliance tasks menial, repetitive and overwhelming on employee and team levels. On the flip-side, there is more work for regulators to do when it comes to enforcing data management for emerging and fast-growth technologies like generative AI and quantum computing.

Best GDPR compliance software for CTOsNot being compliant when it comes to data protection could cost your business millions. But using software to automate GDPR compliance can save you time and money.

Managing data growth

The exponential rise in amounts of customer data, correlated alongside growth of cloud and edge environments and generation of applications, remains a management challenge for businesses. According to research from data and analytics vendor Dun & Bradstreet, 80 per cent of organisations are currently struggling to manage not only volume, but also the variety and velocity of their data.

“To ensure GDPR compliance remains, business leaders, policy makers and governments should consider the intersection between the core data protection principles all set out in the GDPR. These include fairness, transparency, accuracy, integrity, confidentiality and accountability with the OECD AI principles for responsible stewardship of trustworthy AI, and the Council of Europe Guidelines on AI and Data Protection,” said Dun & Bradstreet’s chief ethics & compliance officer, Hilary Wandall.

“While the AI risks are broader than privacy and data protection, it is useful to start with GDPR when tackling the complexity around AI given that businesses are familiar with this regulation. From there, businesses can go on to branch out to the broader safety and quality issues that where AI could have obvious consequences, e.g. pharmaceuticals, manufacturing, healthcare safety, construction, and the environment.”

Cyber resilience

Avoiding breaking the rules set out also calls for infrastructure that is secure by design. As cyber attacks continue to evolve, multiple lines of defence alongside strong backup and recovery processes are required in order to minimise impact. Consequences for insufficient data protection would not only be financial, but also encompass reputational damage, operational downtime, and loss of customers.

“Five years on from the launch of GDPR, the cyber landscape has evolved dramatically,” said Steve Bradford, senior vice-president EMEA at SailPoint.

“Increased reliance of the economy and wider society on digital services is driving ransomware attacks globally. We also live in a more connected world – ever more linked and complicated supply chains are leading to higher levels of cyber risk.

“GDPR served as a warning that European regulators are more than ready to penalise businesses that have been dragging their heels when it comes to managing data security, privacy, and cyber risk. Organisations must keep abreast of security and regulatory developments and ensure they integrate cyber resilience at the core of their business models. And the right technology can help.

“By leveraging AI-enabled identity security, for example, organisations can improve detection of suspicious behaviour and trigger quicker and more impactful responses.”

Cyber resilience: your last line of defenceHere’s how you can ensure cyber resilience across the organisation.

Digital identities

Online and app-specific identities have become increasingly common since the GDPR came into force five years ago. While this innovation has bolstered service efficiency, it also led to the creation of a new attack surface for threat actors to target. This calls for strong verification measures on the part of organisations.

“Customers’ personal data must be carefully managed and a lot of organisations still struggle to do this,” said Colum Lyons, founder and CEO of ID-Pal.

“As more and more industries are being asked to verify their customer identities, this is even more critical to get right when verifying identities as part of Anti-Money laundering (AML) or Know your Customer (KYC) processes. The onus is on the organisation to capture, verify and store their customer’s personal data securely. 

“Identity verification processes that use document verification, alongside biometrics and database means a solution meets regulatory guidelines in a more robust way, making the process more complex for fraudsters to outwit but makes the journey seamless for users.”

Regulating AI

Generative AI has risen to the fore of business agendas since OpenAI‘s public release of ChatGPT in November 2022, and the subsequent investment by big tech firms like Microsoft and Google in the technology. Due to GDPR though, regulators are estimated to have collected over €80m in AI-related fines alone — demonstrating the need to overcome any compliance challenges regarding development of artificial intelligence.

“Despite common misconceptions, AI is regulated through GDPR – organisations are obligated to provide affected individuals with information about the associated logic of any automated decisions,” said Asha Palmer, senior vice-president, compliance solutions at Skillsoft.

“As generative AI tools such as ChatGPT take the world by storm, organisations need to develop and update governance around its usage in the workplace, considering the security, privacy, confidentiality and ethical implications.

“Creating a holistic generative AI governance structure that is sustainable, trustworthy, and transparent will require shared accountability between those developing the tool and those using it. All stakeholders must come together to understand the risks and consider what protocols are, or should be, put in place to ensure GDPR compliance.

“An effective governance structure must include risk assessment, policies and procedures, and testing and monitoring.”

AI identified as top industry disruptor by CEOsGartner research reveals that over a fifth of CEOs globally believe that AI will significantly impact their industry over the next three years.


Post-Brexit, data privacy regulations in the UK are still being drafted, with reforms to the Data Protection and Digital Information (DPDI) bill in the works.

According to research from enterprise IT vendor Macro 4, 85 per cent of UK-based IT leaders believe it would be easier for UK firms to stick with the GDPR rather than replacing it with the proposed new bill. However, 86 per cent said that GDPR risks becoming irrelevant if it fails to keep pace with new AI technologies like ChatGPT.

“There’s still a lot of complexity around compliance and also unanswered questions about what will happen in practical terms if the new bill comes into force,” said Jim Allum, director, commercial and technical at Macro 4.

“Businesses that operate in both the UK and EU may fear that they’ll end up having to comply with two separate sets of compliance standards. They could be thinking, ‘It’s better the devil you know’.

“Most IT leaders seem to feel that the regulations have made people more suspicious about how their data is being used. This is possibly because people are better informed now about how their data could be compromised or misused.

“Media headlines about major data privacy breaches and huge GDPR non-compliance fines leveled at well-known brands will have reinforced the overall lack of trust. All this means that organisations need to work harder than ever to demonstrate that they’re managing data within the rules.”

According to Wandall, examining sectors and process areas in which AI usage is high-risk and applying situation-specific guardrails accordingly “should hopefully set businesses up for the near future when the UK Government’s pending Data Protection and Digital Information Bill defining requirements and safeguards on AI are written up and in place”.

Following the 7 GDPR principles

Here are the seven principles that organisations need to follow, and how to go about satisfying them when managing customer data:

  1. Lawfulness, awareness and transparency: be clear to customers from the outset on how exactly their data will be used and processed.
  2. Purpose limitations: only use data for the ways in which you declared to customers it would be used.
  3. Data minimisation: only collect and use the assets required for any data management task.
  4. Accuracy: ensure that all customer details are accurate and up-to-date.
  5. Storage limitations: always delete personal data once it is no longer needed.
  6. Integrity and confidentiality: only allow data controller/processor personnel access to personal data.
  7. Accountability: emphasise responsibility of the data controller/processor to stay compliant with GDPR.


A guide to IT governance, risk and complianceInformation Age presents your complete business guide to IT governance, risk and compliance.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.