Save content
Have you found this content useful? Use the button above to save it to your profile.
Image of a dark server room stretching into the distance
istock_sefa ozel_AW

Four years on: What have we learned from GDPR?


On the fourth anniversary of the General Data Protection Regulation, Bill Mew highlights its many failures and main success.

30th May 2022
Save content
Have you found this content useful? Use the button above to save it to your profile.
  1. Regulation without enforcement is not just pointless, it’s counterproductive

Several studies have found that many companies are not compliant with key requirements either of the US or EU data privacy regulations. A recent data privacy research report by CYTRIO uncovered the fact that 90% of companies are not fully compliant with US data privacy regulations, including CCPA and CPRA Data Subject Access Request (DSAR) requirements. Alarmingly, a further 95% of companies are using error-prone and time-consuming manual processes for GDPR DSAR requirements.

If it is only responsible companies that are even attempting to comply with privacy regulations, then this becomes a cost or tax on them and represents a competitive advantage for irresponsible ones that don’t abide by the rules at all.

  1. Fines add cost but are a lagging indicator of misfortune rather than misbehaviour

At the outset, all the headlines about GDPR were about the proposed fines. And indeed there have been numerous fines amounting to a great deal of money. According to DLA Piper, nearly €1.1bn in fines were handed out last year. These related to a total of 356 breach notifications a day - a sevenfold increase on last year’s total.

Given the continued and widespread lack of compliance, unfortunately the fines appear not to be working as a deterrent but instead tend to be an additional cost for those unfortunate enough to have suffered a data incident. Many of those fined had taken reasonable measures but had either suffered from unforeseen mistakes or been the victims of attacks and had then been fined once the ICO had been notified.

Meanwhile, it is unknown how many companies that, having been less responsible and then covering up their mistakes and choosing not to submit breach notifications, have gone on to avoid fines entirely. 

  1. At scale, some firms see an actual business case for non-compliance

Nowhere has non-compliance appeared more obvious, evident and controversial than when it comes to BigTech. Arguably some of the largest data abusers have been the tech giants whose business model relies on data exploitation. Following the ‘Schrems II’ ruling against Facebook in the European Court of Justice that overturned Privacy Shield, it was expected that the Irish regulator would take immediate action against the social media giant. However, the Irish regulator initially dragged its heels, appearing not to want to upset the tech giants that had chosen to base their European headquarters within its jurisdiction. Even after it was sanctioned by a vote in the European parliament of 541 to 1 for its inaction, it chose to collaborate with Facebook on a workaround that risked undermining GDPR, rather than actually enforce the regulation.

Leaked internal documents show that Facebook (AKA Meta) designed its ad system in a totally unsiloed way. Without completely re-engineering it from top to bottom, the firm simply cannot hope to comply with GDPR’s requirement for a legal basis for each use of personal data. Aware of this, senior management chose to invest in lobbying and legal appeals, rather than invest in any such fundamental technical reform. Regulatory fines along with lobby and legal costs were seen as a lower-cost tactic than reform and compliance would have been. And with the Irish DPC seemingly unwilling to act, the chances of the Schrems ruling being enforced and them having to cease business in the EU remains low.

  1. Inhibiting innovation: All pain, no gain

As a seasoned campaigner on such issues, my personal mantra has always been to seek to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximisation of economic and social value (cloud, digital transformation and innovation). 

At present we have the worst of both worlds - there is little in the way of meaningful protection, given the lack of enforcement. And at the same time, we are inhibiting innovation, with many startups opting either to base themselves outside the EU in order to avoid the overhead that GDPR represents or struggling to thrive within the EU while at a disadvantage to overseas rivals.


Doing the right thing, acting responsibly and treating your customers and their privacy with respect does not have to be an inhibitor and should not hinder innovation. Unfortunately, the regulatory overhead for embryonic businesses is significant, especially if they are outgunned by larger rivals that may actually be gaining further competitive advantage by cutting corners on compliance (with the complicit support of regulators).

  1. Post-Brexit: Rubbing salt into an open wound

Having shot themselves in the foot (along with the rest of us) by introducing Brexit, the UK political class is desperate to show that Brexit is not a complete disaster and that it can reclaim control of its own laws by reforming GDPR. Unfortunately, it appears to be about to shoot its other foot.

Just as Brexit was built on genuinely good intentions for reform but floundered when confronted with reality, the proposals to reform GDPR in order to spur innovation are equally flawed. The reality is that most businesses will either want to trade with Europe or will hold the personal data of EU citizens, meaning that they will need to conform to the EU’s version of GDPR even after any reform in the UK. Any new UK GDPR, however much better it is, will just be an additional regulation (and cost) they’ll also need to comply with. And if the reform is radical enough to make any real difference then it is most likely to put the UK’s equivalence with EU GDPR at risk - a potentially calamitous outcome.

  1. Transatlantic harmony: Singing two totally different tunes

Possibly the biggest problem with GDPR doesn’t lie in Europe or the UK at all. It lies in Washington DC. You see there’s an ideological gulf that exists between the EU’s prioritisation of privacy as a human right and the US’s prioritisation of surveillance for national security. It has already led to the demise of both Safe Harbor and Privacy Shield and is most likely to hinder all attempts to implement any replacement. 

Unfortunately the EU views proportionality, trust and means of redress as essential components of any arrangement - all of which require judicial supervision. At present, the US implements broad mass surveillance, with little restraint and a level of secrecy that would undermine all means of redress. 

A proposed new transatlantic agreement would be supported by executive orders, but these are easily reversed and have little legal foundation. Introducing measures for adequate judicial supervision in the US would require legislation. Unfortunately, complete gridlock in Congress has made it impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass, so we shan't be holding our breaths for any such measures.

We do however need to avoid security and privacy concerns, along with economic interests and authoritarian and nationalistic urges, leading governments to erect barriers to global data flows. Even if complete harmony between the EU and the US appears impossible, we can at least aim for some form of harmony on side of this divide - with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US at some point so as to align the proliferation of state by state privacy laws.

Despite all of this, I think that GDPR has been a measured success!

The biggest challenge of all is cultural - getting people and organisations to take privacy and data protection seriously. Five years ago, few, if any, of us were aware of the issue. However much the pop-up compliance requests over the last four years may have bugged us all, we are now far more privacy-aware than we ever have been. This is cause for real celebration.

Replies (8)

Please login or register to join the discussion.

By Hugo Fair
30th May 2022 19:02

If you really think that "GDPR has been a measured success", then what are those measures? And a vague sense that "we are now far more privacy-aware" doesn't cut it.

Almost anyone under 40 that I meet has a full-blown (if dejected) acceptance that Meta et al 'own all our data, so no point worrying about it'!
Whilst those of my vintage spend an inordinate amount of time trying to navigate the pop-ups in the hope of not dripping data with every click ... but there an increasing (not decreasing) number of sites that make it hard (and in some cases impossible) to proceed without selecting 'accept all'.

And, as you must know, the amount of data collected on you as an individual clicking your way through the internet is infinitesimally small compared to the amount being pulled from your phone and other devices (even when supposedly switched off). When combined with the data being acquired legally (albeit with dubious safeguards) from national systems such as the NHS, you can see why Nick Clegg proudly claimed that we know more about you than your parents or lover.

In the meantime, for a typical business GDPR is just an administrative nightmare ... where no-one understands it properly and (in the absence of any obvious benefit to the business) look to reduce it to as simple as possible set of tick-box actions.
Not only does that obviously subvert the honourable intentions behind GDPR ... it is an impossible task in most cases, as the 'rules' don't lend themselves to absolutist resolution.
To take one simple example ... I've sat on many working parties/committees where one of the questions is 'for how long do we need to retain records of pension contributions?' And hear answers ranging from 'whatever we do with all payroll records' to 'I think you have to keep them for 5 or is it 7 years' to 'I get questions from the scheme about people who left 20 years ago so maybe a bit longer' and so on. The conclusion (from several large pension schemes) - as long as possible (up to 99 years) so you'd better make sure that's part of your business' policy!

So it becomes necessary for each business to have its own set of GDPR policies (not just a boiler-plate) ... and to maintain/review them ... despite the fact that they will be no more (or less) careful with personal data than they were prior to the advent of GDPR.

And then there's the dreaded/dreadful 'right to forget' ... invented by someone wholly unaware of how databases work. Without a lot of careful structural re-design, most databases can be reduced to a pile of indecipherable garbage by the simple removal of a few data items (think Jenga).
And on it goes ...

Thanks (4)
By Beef curtains
30th May 2022 19:24

What success? GDPR is an unmitigated nonsense. It is an example of the reasons why we chose to leave the Eurinal. No one asked for it. No one is trying to make Brexit "look like a success". It IS a success. Our sovereignty is no longer anything to do with the craziest political experiment since Caligula planned to make his horse, Incitatus, a Consul of the Roman empire. But I don't expect an obvious Remoaner like Mew to acknowledge that.

Thanks (4)
Replying to Beef curtains:
By mbee1
31st May 2022 08:29

Beef curtains wrote:

What success? GDPR is an unmitigated nonsense. It is an example of the reasons why we chose to leave the Eurinal. No one asked for it. No one is trying to make Brexit "look like a success". It IS a success. Our sovereignty is no longer anything to do with the craziest political experiment since Caligula planned to make his horse, Incitatus, a Consul of the Roman empire. But I don't expect an obvious Remoaner like Mew to acknowledge that.

How delusional saying Brexit IS a success. What planet are you on? You definately don't live in the real world. "Let's get Brexit done" he said. "We got Brexit done" he said. Brexit will never be done and I'm sure any clients of yours who trade with Europe rue the day Brexit was ever mentioned.
We need a new Government who will strive to join the Single Market and Customs Union without delay.

Thanks (4)
Replying to mbee1:
By ireallyshouldknowthisbut
31st May 2022 15:15

@mbee1, clearly they missed the 4% drop in GDP attributed to brexit, the highest inflation in Europe (partly due to Brexit) huge mess on the borders. B2C trade into the EU destroyed for small business and all the rest of it.

But but but but, passport colours we could have had anyway, and the metric which of course never went away. Pint of beer or milk anyone? o and the crown mark on pint glasses....which also was never illegal. And above all this mythical "sovereignty" (which we always had) when the reality is having thrown away our influence in Europe means we are now effectively a "rule taker" from the EU as far as manufacturing and many other standards go rather than being part of the decisions.

On the plus side, we are much freer to pollute our air and water and for there to be not backstop or control over a rouge government in no.10 clamping down on, I don't know, basic human rights. Thats what "taking back control" means. For Boris & his chums not for the puce faced supporters. Even Farage understood that as he frantically back peddled about the money on the bus on the morning of night after the referendum.

Thanks (0)
Replying to ireallyshouldknowthisbut:
By Hugo Fair
31st May 2022 15:22

Didn't know we had "a rouge government in no.10" ... when did Boris join the Communist party?

Thanks (1)
By JustAnotherUser
31st May 2022 08:38

GDPR made the internet worse,

load facebook in icognito, the first pop up for data collection has 4,217 words.... big blue button or light grey ... optional or not.

110% gurantee they still collect whatever they want and that a legel team makes sure they bend whatever laws they want to meet thier needs

Any laws broken and fines paid are just an additional cost to them.

General Data Pop-Up Rules

Thanks (2)
By Trethi Teg
31st May 2022 17:56

It is a pointless pain in the [***] which jobsworths and the woke use for their own agendas. I could write a 1000 word explanation why but I think a simple statement does the job.

Thanks (1)
Replying to Trethi Teg:
By turchyna582
09th Jun 2022 10:57

Spot on Trethi Teg!
Try communicating (legally) with any large organisation (especially Utilities, Government Agencies and Local Authorities) on simple matters like ledger reconciliation or bill queries. They quote GDPR and that YOU must be the person named as the contact on the Account or the Dashboard etc. to be able to speak with them.
This is despite the fact that many SME's do not have the staff or the necessity to have a named person for every job.......whoever is available and whoever is intstructed to deal wither matter does so.
Noticeably, each of these Companies and their Jobsworths, expect all customers to accept anyone (named or otherwise) as having authority to contact to you!
Of interest is that I am not talking of personal data......the Account is held by the Company and therefore anyone authorised by the Company (not the Utility provider) should be able to communicate without all these unnecessary hurdles.

Thanks (0)