Data Privacy
Seven Years of GDPR: Origins & Future Direction
Explore the evolution of Europe's landmark data protection regulation, understand how businesses adapted, and discover what changes lie ahead.
The EU General Data Protection Regulation (EU-GDPR) or Regulation (EU) 2016/679 is widely regarded as one of the most comprehensive and influential data protection laws globally. This landmark regulation came into effect on May 25, 2018, now marking its seventh anniversary.
Comprising 10 chapters and 99 articles, this law addresses crucial aspects of data protection including material and territorial scope, data protection principles, exceptions to data processing, cross-border data transfers, rights of data subjects, and the role of Data Protection Officers (DPOs).
The Origins of EU-GDPR
Before EU-GDPR existed, there was the European Data Protection Directive (Directive 95/46), passed in 1995. It established minimum standards for protecting and securing data, upon which member states implemented their own national laws. The objective was to regulate the movement and processing of personal data while protecting fundamental individual rights.
The Landmark Case That Changed Everything
One particular case highlighted the need for more comprehensive data protection legislation and set the stage for EU-GDPR. In 1998, an auction notice regarding Mario Costeja González's repossessed house remained posted on a Spanish newspaper's website. Although the matter was resolved, years later, search results for González's name on Google Spain still revealed this irrelevant personal information.
The request to remove the personal data was granted against Google by the Spanish Data Protection Agency. Both the Agency and the Court of Justice of the European Union (CJEU) agreed that existing data protection directives applied to data controllers like Google. The final CJEU decision favored the data subject, emphasizing the need for an improved directive with enhanced rights for EU citizens — thereby paving the way for GDPR.
From Uncertainty to Established Framework
When EU-GDPR first came into effect, organizations of all sizes — from SMEs to multinational corporations — were apprehensive. Smaller businesses worried about additional financial and operational burden, while larger organizations found the requirements restrictive. Industry surveys demonstrated that 83% of organizations felt unprepared for GDPR compliance, with 53% identifying the Right to Erasure as a major challenge.
Concerns proved valid as problems emerged almost immediately after enforcement. Complaints were filed against major technology companies for unfair data collection practices, with potential penalties worth billions of euros. The maximum penalty — €20 million or 4% of global revenue (whichever is higher) — created significant anxiety among multinational corporations.
Seven Years of Enforcement
From July 2018 through May 2025, the highest number of monthly penalties imposed has been 68, with the highest monthly sum reaching approximately €1.20 billion. In 2023, Meta Platforms Ireland Limited faced the highest single penalty ever — €1.2 billion — for transferring personal data to the US without adhering to specific data protection measures for cross-border transfers.
Fast forward seven years, and the landscape has transformed. Research reveals that 54% of CISOs and CSOs now express confidence in their organization's regulation compliance. According to recent global compliance studies, 82% of organizations are actively interested in investing in compliance-related technology.
Standard Contractual Clauses (SCCs)
The European Commission has pre-approved voluntary Standard Contractual Clauses that data controllers and processors can use as model data protection obligations under GDPR when transferring data from the EU to third parties. In June 2021, two new sets of clauses replaced previous versions:
SCCs for Controller-Processor Relationships
Public and private entities as well as EU institutions can use these SCCs for data transfers between: Controller to Controller, Controller to Processor, Processor to Controller, and Processor to Processor relationships.
SCCs as Data Transfer Tools
These clauses contain specific data protection safeguards for data transferred outside the European Economic Area. Data exporters can use these clauses without prior authorization from data protection authorities. Data importers become bound to comply with safeguards by adhering to these SCCs.
Technical & Organizational Measures
Annex III lists examples of measures ensuring appropriate data security levels, including provisions for data minimization, data erasure, and limited data retention. Contract termination clauses require either deleting all personal data or returning it to the processor, with data retention only permitted when required by national or union law.
Looking Ahead: GDPR's Future
EU-GDPR is now in its seventh year. Post-Brexit, the regulation no longer applies to the UK, and leaders from various member states have expressed concerns regarding declining economies due to restrictive GDPR requirements. Addressing these issues, the European Commission released the fourth Simplification Omnibus Package in May 2025.
This package proposes amendments designed to save EU businesses approximately €400 million annually. Changes include risk-based record-keeping and introducing a new category — Small and Mid-Cap Enterprises (SMCs) — with extended compliance exemptions. The European Data Protection Board and European Data Protection Supervisor have expressed support for these proposals.
While it's too early to assess the results of these amendments, the risk of compromising data security due to relaxed compliance requirements remains a concern for data protection professionals.
Explore D-Secure Compliance SolutionsAchieving GDPR Compliance with D-Secure
The Right to Erasure remains one of the most challenging GDPR requirements for organizations. D-Secure provides certified data erasure solutions that help businesses meet GDPR's stringent data destruction requirements with audit-ready documentation.
Certified Data Destruction
Permanently erase personal data from storage devices using internationally recognized erasure standards that satisfy GDPR's Right to Erasure requirements.
Audit-Ready Documentation
Generate tamper-proof certificates and detailed erasure reports that demonstrate compliance during regulatory audits and data protection assessments.
Cross-Border Compliance
Ensure data protection measures are maintained when transferring or disposing of data-bearing devices across international boundaries.
Data Retention Management
Implement secure data deletion procedures aligned with GDPR's data minimization and limited retention principles.
Frequently Asked Questions
When did EU-GDPR come into force?
EU-GDPR came into force on May 25, 2018. The regulation was adopted in April 2016, giving organizations a two-year transition period to prepare for compliance.
Does EU-GDPR apply to the UK?
Post-Brexit, EU-GDPR no longer directly applies to the UK. However, the UK has implemented its own version — the UK GDPR — which mirrors most of the EU regulation's requirements.
What has been the highest penalty for GDPR violation?
The highest GDPR penalty to date is €1.2 billion, imposed on Meta Platforms Ireland Limited in 2023 for improperly transferring personal data to the United States without adequate data protection safeguards.
What is the maximum penalty for GDPR non-compliance?
The maximum penalty under GDPR is €20 million or 4% of global annual revenue, whichever is higher. This applies to the most serious violations of the regulation.
Will EU-GDPR be amended soon?
The European Commission released the Simplification Omnibus Package in May 2025, proposing amendments including risk-based record-keeping and extended exemptions for small and mid-cap enterprises. These changes aim to reduce administrative burden while maintaining data protection standards.
Comments (0)
Your email address will not be published. Providing an email is optional.
Have Questions About This Topic?
Send us an enquiry regarding: G D P R Seven Years
Achieve GDPR Compliance with D-Secure
Meet the Right to Erasure and data protection requirements with certified data destruction solutions and audit-ready compliance documentation.
No comments yet. Be the first to comment.