The potential of GDPR has always been so much more than simply compliance—a decade ago, when European regulators, government officials and business leaders began talking about stringent privacy legislation (and set off a mild panic), it was clear the impending law was an opportunity for organizations to marshal and understand their data and how it is used. 

Now, eight years after GDPR went into effect, it is the “global benchmark for responsible data governance” and has “reshaped expectations around accountability, transparency, and consumer trust, and elevated privacy into a core component of digital business strategy rather than a compliance function,” says Susan Fletcher, global chief privacy officer and deputy general counsel at Precisely. 

“It has become a test of whether organizations can demonstrate control at scale,” adds Shane Barney, CISO at Keeper Security.  

The lead-up to the May 2018 deadline found organizations scrambling to protect data and avoid devastating incidents—as well as the prospect of large fines. It quickly became clear that GDPR “required a fundamental redesign of how organizations understand data, build products, and govern increasingly complex digital ecosystems,” says Fletcher. 

It’s hard to conjure up that struggle now, eight years on, where Fletcher says, “most organizations understand the principles well” and the challenge isn’t interpretation but rather “consistent operationalization across cloud environments, AI systems, and complex data sharing ecosystems.” 

Barney believes three forces drove GDPR’s shift from “a compliance framework centered on consent, lawful basis and breach notification has evolved into something far more operational: a technical-control standard where identity governance is now central to trust and accountability.” 

Geopolitical fragmentation, he says, “reshaped global data governance,” with Schrems II invalidating Privacy Shield in 2020 and exposing “tensions between transatlantic surveillance law and EU privacy protections.” A legal mechanism for data transfers was restored in 2023 with the advent of the EU-U.S. Data Privacy Framework. Still, “growing data localization requirements are fragmenting cross-border data governance,” Barney says.

Second, regulators intensified enforcement. “GDPR fines have now exceeded €5 billion, with Meta’s €1.2 billion penalty in 2023 establishing a new benchmark for regulatory exposure,” he says.

And now, AI has “raised the stakes.” Barney contends that “the Italian Garante’s 2023 action against ChatGPT marked an early turning point, and GDPR Article 22 on automated decision-making has become increasingly relevant as AI agents interact with personal data at machine speed.”
 

The gains in the nearly decade since GDPR’s implementation are clear. “Privacy by design is now a baseline expectation, and data protection is embedded much earlier in product and engineering lifecycles,” says Fletcher, noting that the bar for vendor accountability has been raised significantly. 

“Organizations now require clearer data processing terms, stronger security assurances, and far greater visibility into cross-border data flows and sub-processor arrangements,” she says, driving “more structured governance across cloud, SaaS, and data infrastructure ecosystems.” 

But perhaps its greatest achievement thus far, she says, is shifting trust into a measurable business outcome. “Organizations are increasingly assessed not only on compliance, but on whether their data practices are transparent, consistent, and demonstrably responsible,” Fletcher says. 

The biggest organizations may have learned, as she says, “that privacy cannot be achieved through policy alone” and “must be embedded into system design, data architecture, and operational processes,” and that “data complexity is consistently underestimated.” Still, GDPR has panned out differently for smaller organizations.  

“SMBs find themselves asynchronously prepared compared to their Enterprise brethren,” says Matt Lee, senior director of security and compliance at Pax8.  

“Although the number of GDPR requests, combined with state-by-state privacy policies such as CCPA, and NY Shield activities, is EXTREMELY low, the SMB finds itself at the mercy of others, and well below the cybersecurity poverty line,” Lee says.  

SMBs depend on GDPR and other tooling, Lee says, “to even exist in the LOB software they use daily, and frequently lack the personnel and knowledge that the data [they use] daily belongs to others.”  

What’s more, “they largely lack the fiduciary knowledge that privacy legislation is a big deal.” 

GDPR is likely to maintain its relevance as AI continues to grow. “Its core principles are technology-neutral and directly applicable to AI systems,” says Fletcher.  

“Fairness, transparency, accountability, purpose limitation, and human oversight remain essential regardless of the underlying technology. 

But AI has changed scale and speed. “AI systems now generate outputs, infer patterns, and influence decisions in ways that stretch traditional compliance models and operational controls,” says Fletcher, so while the framework still applies, “its implementation is being tested in real-world deployment.” 

The EU AI Act is intended to address some of those gaps “in relation to high-risk use cases and system-level obligations,” as are “targeted reforms through initiatives such as the Digital Omnibus package, aimed at reducing fragmentation across the EU digital rulebook and improving legal clarity without weakening core protections.” 

The Data (Use and Access) Act goes into effect in June and will amend the UK GDPR, distinguishing it from the EU’s version. 

Fletcher expects those “changes may create greater flexibility for organizations developing AI-enabled services and automated decision-making systems, supporting faster innovation and more efficient digital delivery,” but will also increase “the importance of governance, particularly around transparency, explainability, and meaningful human oversight.” 

Still, challenges remain. If GDPR is to remain relevant going forward, she says, it must evolve “in a way that improves clarity and consistency while preserving the trust and accountability framework GDPR established.”