GDPR two years on: Why there's still work to be done on data protection

Data protection laws have been broadly successful says, European Commission - but problems around fragmentation and other issues remain.

Why only one in three organizations are GDPR compliant -- and the risks they're facing as a result

Two years on from the General Data Protection Regulation (GDPR) coming into force, the data privacy law still faces challenges across the European Union, with fragmentation around how member states are implementing it and more.

A report by the European Commission broadly paints the data protection laws as a success when it comes to providing more privacy for citizens, providing people with better understanding around rights when handing over personal data, as well as encouraging organisations to take more precautions when handling information.

However, implementation of GDPR isn't the same across Europe, which could potentially be creating problems.

SEEIT pro's guide to GDPR readiness (free PDF)

Just over two years on from GDPR becoming law, all European Union states – and the United Kingdom, which was signed up to GDPR pre-Brexit – have adopted it or adapted it into national data protection laws. The only member country which hasn't done so is Slovenia.

But the implementation of GDPR across member states isn't consistent and creates fragmentation, something which impacts cross-border business, particularly when it comes to new technological developments and cybersecurity products.

Part of the reason for this is because member states are responsible for managing the human, financial and technical resources of their national data protection authorities.

While this has led to good uptake and understanding of the legislation in countries including Iceland, the Netherlands, Finland, Ireland and Luxembourg – the latter two are home to the European headquarters of a number of global tech firms – other countries are lagging behind.

"The situation is still uneven between member states and is not yet satisfactory overall," said the report.

And while larger organisations have generally adapted to GDPR, the report notes that even two years on, understanding it and becoming compliant is still challenging for small and medium sized enterprises (SMEs).

Several data protection authorities have provided tools to help SMEs implement GDPR and that's something the European Commission suggests should be "intensified and widespread".

SEE: Cybersecurity: Do these ten things to keep your networks secure from hackers

But despite issues with fragmentation across borders and struggles involving small businesses, the Commission regards GDPR as a success, noting that 69% of over 16 year olds across Europe are aware of the legislation and what it should represent for then.

"The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today's report shows," said Didier Reynders, European Commissioner for Justice.

"The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with member states, so that the GDPR can deliver its full potential," he added.

MORE ON CYBERSECURITY