GDPR two years on: Why there's still work to be done on data protection

Data protection laws have been broadly successful says, European Commission - but problems around fragmentation and other issues remain.
Written by Danny Palmer, Senior Writer

Two years on from the General Data Protection Regulation (GDPR) coming into force, the data privacy law still faces challenges across the European Union, with fragmentation around how member states are implementing it and more.

A report by the European Commission broadly paints the data protection law as a success when it comes to providing more privacy for citizens, delivering better understanding on their rights when handing over personal data, as well as encouraging organisations to take more precautions when handling information.

However, GDPR implementation isn't the same across Europe, which could potentially create problems.

SEEIT pro's guide to GDPR readiness (free PDF)

Just over two years on from GDPR becoming law, all European Union states -- and the United Kingdom, which signed up to GDPR pre-Brexit -- have adopted it or adapted it into national data protection laws. The only member country which hasn't done so is Slovenia.

But the implementation of GDPR across member states isn't consistent, which creates fragmentation -- something that impacts cross-border business, particularly when it comes to new technological and cybersecurity developments.

Part of the reason for this is because member states are responsible for managing the human, financial and technical resources of their national data protection authorities.

While this has led to good uptake and understanding of the legislation in countries including Iceland, the Netherlands, Finland, Ireland and Luxembourg (the latter two host the European headquarters of several global tech firms), other countries are lagging behind.

"The situation is still uneven between member states and is not yet satisfactory overall," the report said.

And while larger organisations have generally adapted to GDPR, the report notes that even two years on, understanding it and becoming compliant is still challenging for small and medium sized enterprises (SMEs).

Several data protection authorities have provided tools to help SMEs implement GDPR, and that's something the European Commission suggests should be "intensified and widespread".

SEE: Cybersecurity: Do these ten things to keep your networks secure from hackers

But despite issues with fragmentation across borders and struggles involving small businesses, the Commission regards GDPR as a success, noting that 69% of over-16-year-olds across Europe are aware of the legislation and what it should represent for them.

"The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today's report shows," said Didier Reynders, European Commissioner for Justice.

"The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with member states, so that the GDPR can deliver its full potential," Reynders added.


Editorial standards