GDPR: Studying the World's Strictest Security Law 6 Years On

We take a look at the history, impact, and future of GDPR to see how it has effected the cyber sphere six years after its enactment

Today marks the sixth anniversary of the European Union's General Data Protection Regulation (GDPR) coming into force. 

GDPR is a comprehensive set of rules designed to protect the personal data and privacy of individuals within the EU. It governs how companies and organisations handle and process the data of EU citizens, imposing strict requirements for consent, data minimisation, and data security.

It is widely regarded as one of the strictest data protection laws in the world, with hefty fines for non-compliance. Companies found in breach can face penalties of up to €20 million or 4% of their global annual turnover, whichever is higher. So, six years on, what has happened since GDPR's implementation, and how has it changed data protection?

GDPR's history

GDPR was adopted by the European Parliament in April 2016 after years of negotiations and drafting. It replaced the earlier 1995 Data Protection Directive, which had become outdated due to the rise of the internet and new technologies. 

GDPR went into effect on 25 May 2018, after a two-year transition period, becoming enforceable as law across all EU member states.

The comprehensive nature and strict enforcement mechanisms of GDPR set a new global standard for data protection that other countries moved to emulate in order to safeguard their citizens' privacy rights in the digital age.

California Consumer Privacy Act adopted in the same year shares many similarities with the GDPR, and the Brexited UK enacted its "UK GDPR", identical to the EU’s, upon leaving the bloc. 

What GDPR covers

What GDPR covers
  • Organisations must obtain explicit consent from individuals before processing their personal data
  • Only the minimum amount of personal data necessary for a specific purpose should be collected and processed
  • Appropriate technical and organisational measures must be implemented to protect personal data from unauthorised access, accidental loss, or destruction
  • Individuals have the right to access, rectify, erase, or restrict the processing of their personal data, as well as the right to data portability

Fines’ effect on security standards

Since its implementation, GDPR has resulted in numerous high-profile fines for companies found in violation of its rules. Some of the largest fines include Amazon's €746 (then US$877 million)  in 2021, for an alleged data breach that exposed customer data; Meta was hit with a record-breaking €1.2 (US$1.29bn) fine in 2023 for mishandling people's data when transferring it between Europe and the us.

GDPR has therefore forced companies to adopt higher standards of data security and privacy practices. 

Michel Isnard, VP of EMEA at GitLab hailed the impact of the regulation, especially in the wake of AI. "GDPR played a pivotal role in ensuring that organisations recognise that they must integrate privacy, security, and compliance throughout their processes to manage risk effectively and add business value," said Isnard. “The growing need for data to build and fine-tune AI applications, coupled with an ever-increasing number of data breaches, indicates that adherence to GDPR has never been more important."

Steve Bradford, Senior Vice President EMEA at SailPoint, believes it was an important first step, but businesses need to take the next one. "GDPR paved the way for the increased importance of regulation to help companies protect their data. But to keep on top of evolving threats, organisations need to be on the front foot. Waiting to be led by government regulation or red tape isn't enough when the stakes are so high," said Bradford. "Operational downtime, customer loss, reputational damage and system restoration that follow any data breach all come with a major price tag - and headache - for businesses."

The EU has since followed up its focus on cyber with the Cyber Resilience Act, levelling fines of up to €15 million against manufacturers and developers of products with digital elements that do not implement strict cybersecurity requirements.

With the rise of new threats such as artificial intelligence and quantum computing, the importance of robust data protection measures has become even more critical. If companies did not take GDPR seriously before, and the Cyber Resilience Act now, the potential consequences of data breaches and the ever-evolving cybersecurity landscape will undoubtedly force them to prioritise compliance and data security moving forward.


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand


Featured Articles

SolarWinds: IT Staff Dubious on Organisation's AI Readiness

A recent trends report by SolarWinds reveals that very few IT professionals are confident in their organisation's readiness to integrate AI

Is Stress a Driving Force Behind the Cyber Skills Shortage?

A SenseOn study has showed 95% of IT leaders in the UK and Ireland say stress impacts their ability to retain staff

Rapid7 AI Engine Update Sees Gen AI Supporting SOC With MDR

Rapid7's enhanced AI Engine will now use machine learning models and new Gen AI models to separate real attacks from false alarms

Google Securing WFH with Zscaler and Netskope Partnership

Network Security

Why Have Cybersecurity Budgets Soared for TMT Companies?

Operational Security

Mandiant's Analysis Unveils Cause of Snowflake Data Theft

Operational Security