On May 25, 2018, the General Data Protection Regulation (GDPR) came into force across the European Union, ushering in a new era of digital rights, transparency, and accountability.
In January 2021 (following Brexit), the UK implemented this into domestic law with the UK GDPR, recognising the importance of continuing to uphold these standards. Globally, many more countries were using the GDPR as a prop to frame their own data protection laws. Seven years on, the GDPR has not only redefined privacy standards across Europe but also set a global benchmark for data protection.
In this blog post, we reflect on the milestones, challenges, and evolution of the GDPR from 2018 to 2025, and ask the question: what’s next for the UK in light of the new UK Data Use and Access Bill?
Year 1: The GDPR is introduced (2018)
The GDPR caused a wave of compliance activity. Businesses scrambled to update privacy policies, obtain consent, and understand their new obligations. High-profile complaints, such as Max Schrems’ cases against Facebook and Google, made headlines, signaling a serious enforcement landscape. For many, this was the year of awareness and adjustment, with the GDPR settling into its new role as the cornerstone of data protection, reshaping how organisations collect, process, and safeguard personal data across the EU and beyond.
Year 2: Fines are issued (2019)
Regulators across the EU began issuing significant fines. Notable penalties included a €50 million fine for Google by the French CNIL for lack of transparency and valid consent in ad personalisation. Organisations realised GDPR was more than a checkbox exercise, and that noncompliance had real financial and reputational risks, with individuals becoming more aware of how their personal data is used, and what rights had been afforded.
Year 3: Cross-border transfer uncertainty (2020)
The landmark Schrems II ruling invalidated the Privacy Shield framework for transatlantic data transfers, throwing international business operations into legal uncertainty. Standard Contractual Clauses (SCCs) became the fallback, while companies scrambled to reassess cross-border transfers. Meanwhile, jurisdictions such as California took cues from the GDPR for their own data laws, in an attempt to align with the obligations imposed under the GDPR, further cementing that the GDPR as the global standard to be followed.
Year 4: The GDPR’s influence (2021)
With continued regulatory scrutiny, companies invested heavily in compliance strategies and Data Protection Officer (DPO) roles. This period saw a maturing of internal privacy programmes. Guidance from the European Data Protection Board (EDPB) began to solidify interpretations of complex areas like legitimate interests and consent. At this stage, the GDPR had firmly planted its roots.
Year 5: Record-breaking fines prove no business is immune (2022)
Meta, Amazon, and TikTok faced record-breaking fines, with the Irish Data Protection Commission playing a central role in enforcement due to Ireland hosting many EU headquarters. These actions demonstrated that even the biggest players weren’t immune, and further fueled the debate around the adequacy of enforcement mechanisms, with many arguing that enforcement was too lenient.
Year 6: AI introduces new questions (2023)
As AI adoption surged, questions arose around lawful bases for processing, data minimisation, and automated decision-making. Regulators and policymakers began exploring how GDPR principles apply to machine learning and generative AI models. The tension between innovation and data protection came into sharper focus.
2023 was also the year of the EU-US Data Privacy Framework, with the European Commission adopting an adequacy decision for the United States’ data protection framework (not in all instances though!).
Year 6: AI introduces new questions (2023)
As AI adoption surged, questions arose around lawful bases for processing, data minimisation, and automated decision-making. Regulators and policymakers began exploring how GDPR principles apply to machine learning and generative AI models. The tension between innovation and data protection came into sharper focus.
2023 was also the year of the EU-US Data Privacy Framework, with the European Commission adopting an adequacy decision for the United States’ data protection framework (not in all instances though!).
Year 7: The GDPR continues to influence other nation’s laws (2024)
By its seventh year, the GDPR is both celebrated and criticised. Some call for modernisation, particularly around AI, children’s data, and clearer international data transfer rules.
Meanwhile, the GDPR’s influence continues to spread, with global privacy laws increasingly aligning to its standards. The EU itself is moving forward with complementary legislation, like the AI Act and Digital Markets Act, ushering in a new wave of digital regulation.
Now:
In countries such as the UK, there is a move away from the GDPR (although this is an anomaly at present), and the GDPR continues to be a driving force for data protection.
The UK’s Data (Use and Access) Bill completed its passage through the House of Lords in February 2025, with some key amendments surrounding AI decisions, enhanced protections for children’s data, and some changes to direct marketing rules. As of May, the bill is still continuing its long journey to Royal Assent, with no confirmation as to when exactly this will be.
The GDPR is the gold standard
Seven years in, the GDPR remains the “gold standard for data protection”, providing a framework that has shaped the global conversation around privacy, accountability, and digital rights, however it is by no means perfect. As we look ahead, its adaptability in the face of technological change will determine its future legacy. Particularly in the UK, big change is on the way.
For support in ensuring compliance with this legislation, we can provide a variety of data protection help depending on what you need. Through services like our outsourced DPO support, audits, and engaging online training courses, we’ll give your organisation the best chance at exceeding its obligations and becoming a role model in safeguarding data.
Contact us today to find out more.
