Seven years after its implementation, the General Data Protection Regulation (GDPR) continues to serve as a pivotal framework for data privacy across Europe. Widely regarded as a landmark piece of legislation, it set a global benchmark for the protection of personal information in the digital age. However, as technology continues to advance, so does the threat landscape.
Rising cyberattacks, data breaches, and the involvement of AI all raise the question — does GDPR still represent the gold standard in data protection? GDPR may have adapted to meet emerging challenges, but whether these developments are enough in today’s digital landscape is still up for debate.
Navigating the changing digital landscape
Even after seven years, the influence of GDPR remains embedded in the foundations of data protection worldwide. As discussed by Terry Storrar, Managing Director, Leaseweb UK: “This is particularly evident with the data center industry and MSPs, which sit at the very heart of the UK’s and Europe’s digital infrastructure. While the regulatory landscape keeps evolving at an increasingly steady pace to keep up with new technologies, GDPR principles remain the cornerstone of data protection efforts in Europe and the UK.”
He continues, “GDPR has certainly not stood still in past years, yet technology continues to outpace regulation. The rate of recent change — particularly the explosion of emerging AI technologies — highlights the many challenges regulation faces and reminds us of the importance of continued development of data protection regulation. With continued calls for European data sovereignty, both the UK and EU are focusing more on digital autonomy and reducing dependence on foreign cloud providers. Growing geopolitical concerns and heavy dependencies on infrastructure outside of Europe means that data centers and MSPs will play a critical role in enabling this shift. Considerations on where data is stored, who controls it and how it’s accessed will be crucial.”
Storrar also believes that although newer regulations, such as the Data Governance Act, have added layers to GDPR, they have not replaced it: “These regulations highlight the growing complexity of data compliance but also clearly position GDPR’s role as the baseline for further, more targeted laws. For businesses, this means that GDPR compliance is a dynamic process, requiring both continued compliance with existing regulation as well as integration of newer obligations resulting from emerging rules. In a digital landscape that is transformed by AI, cloud-native architectures, and geopolitical shifts, GDPR’s legacy is undeniable, and its continued relevance stems from its adaptability.”
Demanding reporting requirements
The regulatory and reporting requirements that come along with GDPR continue to prove a challenge for businesses. Ricardo José Garrido Reichelt, Principal Security Technologist EMEA, Office of the CTO at Commvault, recognizes how those who have successfully complied with GDPR and other regulations’ reporting requirements will reap the benefits: “The reporting requirements for cyber incidents under GDPR and NIS2 are very demanding, mandating reports within 72 and 24 hours, respectively. Only those who can act immediately, remain operational and move on to attack analysis will be able to meet the tight reporting requirements.”
“To achieve this, they should follow the concept of the “Minimum Viable Company”,” adds Reichelt. “This concept defines in advance exactly which infrastructure and systems, applications, processes, and environments are absolutely necessary to maintain emergency operations. In contrast, companies that are not so prepared need an average of 24 days to get back up and running after a cyberattack — 24 days versus the 24 hours required by the requirement.”
He notes how the introduction of NIS2, which builds on GDPR’s principles, will demand more from companies: “NIS2 will very likely lead to an overall increase in security levels, making it more difficult for hackers and bad actors to compromise critical infrastructure. And this increased cyber resilience will ultimately be a competitive advantage. We’ve become accustomed to cyberattacks being part of everyday life. And thanks to NIS2, we’ll hopefully get used to companies being better able to withstand attacks and get back online within a few days or hours, not weeks or months.”
Maintaining practicality and relevance
If it is going to maintain relevance, GDPR must build upon its core principles of fairness, transparency, and accountability, to evolve with the technology of today. As highlighted by Glenn Akester, Technology Director for Cyber Security & Networks at Node4, how GDPR applies to AI is a potential grey area. “GDPR does apply to AI, but its definitions are being stretched by modern AI capabilities, with regulators increasingly accepting that training data may still carry personal identifiers, even when buried deep in models.”
He continues, “synthetic data offers a promising privacy preserving route, but it’s underdeveloped in UK law. The UK’s current reforms aim to cut red tape while keeping core rights intact. Flexibility, such as clearer legitimate interest provisions, allows responsible innovation. The Government is also avoiding overly prescriptive AI laws (unlike the EU’s AI Act), preferring regulator led guidance – a more flexible stance which may prove to be a competitive advantage. The law isn’t changing direction, just shifting gears to keep up.”
It is clear that the relevance of GDPR cannot be denied, but it must continue to be updated else it risks losing effectiveness. Today’s digital landscape is continuing to rapidly evolve, with technologies such as AI and IoT, so GDPR must be expanded and adapted to remain as the global benchmark for the protection of personal information.
Image credit: Meelantchee / Shutterstock
