5 Years Of GDPR, What Do The Experts Say?

In the ever-evolving digital landscape, data privacy has emerged as a paramount concern for individuals, organisations, and governments alike. Five years ago, the European Union (EU) took a significant step towards safeguarding user data with the implementation of the General Data Protection Regulation (GDPR).

The GDPR, which came into effect on May 25, 2018, brought about a seismic shift in the way companies collect, process, and store personal data. Its broad scope encompassed not only EU-based organisations but also any entity globally that dealt with the personal data of EU citizens. From small businesses to tech giants, all were compelled to re-evaluate their data protection practices and ensure compliance with the comprehensive framework of the GDPR.

This landmark legislation aimed to empower individuals with greater control over their personal information and imposed strict obligations on businesses handling such data. As we mark the fifth anniversary of the GDPR’s enforcement, it is an opportune time to reflect on its impact. We asked the experts how GDPR has affected their field…

Colum Lyons, CEO and Founder of ID-Pal

“Five years on from the introduction of GDPR and there is still a long road to go. Even this week, Meta has been hit with a record €1.2 billion fine by the Irish Data Protection Commission (DPC) for violating a GDPR rule, proof that severe consequences are waiting for businesses if the right GDPR-compliant measures are not in place.

“Customers’ personal data must be carefully managed and a lot of organisations still struggle to do this. As more and more industries are being asked to verify their customer identities, this is even more critical to get right when verifying identities as part of Anti-Money laundering (AML) or Know your Customer (KYC) processes. The onus is on the organisation to capture, verify and store their customer’s personal data securely.

“Identity verification processes that use document verification, alongside biometrics and database means a solution meets regulatory guidelines in a more robust way, making the process more complex for fraudsters to outwit but makes the journey seamless for users.”

Mike Ferguson, VP EMEA at Redpoint Global

“Despite an ever-evolving business landscape, on its fifth anniversary GDPR is still highly relevant. This week’s record fine imposed on Meta for breaching GDPR regulations reminds us of this.

“These regulations have prompted organisations of all shapes and sizes to up their game in terms of data stewardship and responsibility, whilst encouraging consumers to think more about how their data is handled. Businesses are now fostering a new sense of responsibility towards their customers and embracing an unspoken contract of trust with consumers, recognising the importance of a meaningful value exchange.

“This has led to GDPR installing a culture of enhanced data management, raising expectations for companies to safely and properly handle data. Although the regulation has been criticised for fearmongering with huge fines, the changes have been beneficial, raising standards is never a bad thing.

“Finally, consumers are now better informed, meaning they are more capable of choosing which brands they want to interact with. Companies cannot ignore this growing awareness and must continue to responsibly manage data. Going back five years, there’s nothing I would change in light of this success, and businesses would do well to continue with this momentum.”


Damien Brophy, Senior Vice President EMEA at ThoughtSpot

“Since coming into force five years ago, the GDPR framework has sought to give people and businesses security and protection. The reality has been a state of flux with little enforcement of the regulation, the long-standing business challenge of how to effectively tap into the power of data whilst remaining compliant and global friction with data laws and standards so different across the world.

“Businesses now have the added layer of complexity with The Data Protection and Digital Information Bill currently passing through parliament, which is an update to UK GDPR. While sentiment around the new bill is mixed, business leaders need to see this impending change as a positive move in allowing the UK to become a true playground for innovation. This is due to the changes in the barriers to entry for data use and data manipulation lowering, giving businesses the opportunity to engage with their data more freely and use it to inform growth.

“What is crucial now is that businesses start considering the challenges this will bring in terms of driving innovation, lowering the barriers to data entry but still protecting people’s data. There will be a balance required in governance and agility. And leaders also need to push the UK Government to pass this new bill through parliament quicker as to date, progress has been slow and this will soon start impacting the true business innovation that can be taking place in the country.”<  

Charles Southwood, Regional VP and GM – Northern Europe and Africa at Denodo

“The fifth anniversary of GDPR provides us with an opportunity to reflect on how far we’ve come when it comes to protecting personal data. However, the reality is that, in many cases, there is still much to be done.

“Despite the stringent data policies, strict record keeping and time limits on how long data can be stored that GDPR brought into force, we continue to see many organisations struggle to ensure the simple and transparent management of personal data. One of the main hurdles they face is that data is usually distributed in different and separated repositories throughout an organisation; different locations, different formats & protocols and different permissions.

“With The Data Protection and Digital Information Bill – an update to the UK GDPR – currently passing through parliament, many organisations will seek out modern technologies to get a handle on data privacy. One such technology is data virtualization. In the context of GDPR, a key feature of data virtualization is that no data is moved and copied. This avoids multiple copies being created, where security can be an issue and where the original context and permissions of the data capture, can be lost. Likewise, by providing easy and complete access to all repositories, through a single information layer, data virtualisation ensures that data can be traced and audited in real-time, no matter where it is stored, and without the need for duplication. It facilitates compliance with current legislation whilst enabling organisations to protect their data.”

Ben Kartzman, COO at Mediaocean

“The last five years, since the introduction of GDPR, have seen the marketing landscape change drastically. Consumers have become much more savvy in regard to their privacy rights and advertisers have experienced massive signal loss. But it wasn’t just regulation that contributed to data deprecation. Other factors in play include Apple’s policies around app tracking and Google’s plans to disable third-party cookies.

“Looking ahead, it’s clear that the best path forward for brands is to develop first-party data by building direct relationships with customers and obtaining consent to communicate with them. On top of that, marketers can work with platforms that have their own first-party data and ability to use it for targeting ads. And there are also independent ad servers that can use first-party data and probabilistic determinants to address identity resolution.

“Above all, marketers need to invest in advanced creative strategies to entice consumers to engage with their brands. With constraints around audience targeting, the most incremental lift for advertising campaigns will come from messaging. This is a big area of focus for advertising technology through the use of AI and automation to create personalised ads at scale.”

Andy Teichholz, Global Strategist, Compliance & Legal at OpenText

“After half a decade of GDPR, businesses are facing a different world when it comes to managing personal data. One of the biggest topics in many industries right now is the growing demand for transparency and accountability from a more knowledgeable consumer base.

“While fines can be staggering (we are approaching a little more than 1,600 individual fines totaling almost three billion euros for GDPR violations), reputational management and competitive differentiation are still driving boardroom conversations and informing the investments they make in terms of data management technology.

“Technology is advancing and there are powerful options to improve data compliance and transparency. Tools like AI and machine learning can help companies assess, categorize, manage and protect all data appropriately throughout its lifecycle. Also, while subject rights requests, especially Data Subject Access Request (DSARs), are becoming more commonplace, many organizational fulfillment activities today still rely on manual processes that overwhelm their already constrained resources. To meet mandated deadlines, teams are leveraging information retrieval technologies including eDiscovery tools (with their advanced analytics, review, redaction, and production capabilities) to automate and accelerate the fulfillment process – especially for high effort requests.

“With technology innovation, a much stronger data privacy strategy can help operationalize key privacy processes, guard against GDPR breach and build more trusting customer relationships. At a time when customer trust in businesses is fragile, we should use the anniversary of GDPR to reflect on how we can build better, more integrated data management strategies for the next half decade and beyond.”

Helena Nimmo, CIO at Endava

“GDPR regulation has long been criticised for being weak and lacking in enforcement. But with new bills passing through parliament and movements towards tightening regulation, companies will have stricter standards and guidelines to adhere to. We’re on the cusp of a new era of technology and businesses and regulators have the difficult task of striking the right balance between privacy and innovation, working towards a middle ground that allows both to exist in harmony.

“Digital transformation’ has been the buzzword of the decade, but it’s played out, long out of touch with business needs and – crucially – inevitable market changes. With new technologies such as ChatGPT emerging and presenting fresh privacy challenges, this will only intensify further. Instead of undertaking a business overhaul, organisations should take a more iterative approach: ‘digital acceleration’. Digital acceleration allows for more agile delivery that doesn’t undermine longer-term strategic thinking or changes to regulatory frameworks, like what we’re seeing now.

“Applied to GDPR, digital acceleration allows leaders to safeguard their organisations while allowing them to innovate with more flexibility – a key challenge when looking at mitigating risk and ensuring compliance. As people become more aware of their data than ever, businesses have a responsibility to their customers, employees and other stakeholders to make decisions with privacy front of mind. Failure to prioritise is not only a compliance and financial risk, but a significant reputational one, too.

“While there are some natural privacy concerns around advancements in technology such as AI, we’re actually seeing these innovations being used as part of the solution. AI is increasingly becoming a crucial pillar of many organisations’ data strategies due to its ability to manage and protect data with accuracy whilst reducing human error.”

James Evans, CPO and VP of Legal, TripleLift


“By and large, GDPR has brought a level of uniformity for data privacy across Europe that has helped businesses to comply at scale. But regulators could still do more to enable progress. Contextual, for example, is promoted as the privacy-centric targeting method of choice. But contextual campaigns are difficult to measure in the absence of an identifier and basic tracking – and what you can’t measure in digital advertising, you cannot effectively sell and demonstrate ROI.

“Regulators should encourage publishers and advertisers to adopt privacy-respectful solutions like contextual targeting with basic measurement and first-party data solutions. Setting accepted minimum compliance criteria – with protection against harsh enforcement for minor legal infractions – would assist advertisers and publishers to move past the third-party cookie era.

“The anniversary is also interesting due to the current rapid rise of artificial intelligence (AI) tools and the associated privacy challenges. The core GDPR principles are well placed to address the use of personal data in AI technologies; albeit there will be practical challenges around transparency and user controls where huge amounts of personal data are processed using very complicated technologies. This poses some fascinating questions around how privacy regulations should develop in the future. Perhaps certain limited exceptions are required to foster this exciting technology, rather than introducing additional privacy regulation.”


Aviran Edery, SVP & GM Marketplace, Verve Group

“GDPR signalled a shift in the digital sphere that is being felt to this day. It remains one of the clearest and most concise sets of privacy regulations and inspired other countries to develop their own guidelines.

“The loss of cookies is just the next phase of the privacy-centric future advertisers face and it’s imperative they’re not using identifiers that are unlikely to outlast the next set of regulations. Quality contextual data will enable them to tailor their ads to high-value audience segments, avoiding costly fines in the process.

“The winners of the new era of advertising will be marketers who put their pedal to the metal in future-proofing their approach, trialling advanced tools based on solutions that take into account the direction the legislative winds are blowing and put consumers’ data privacy first.”

Paul Thompson, Country Manager, Seedtag

“GDPR was a monumental undertaking. Every line was debated and detailed by 27 countries’ worth of expertise, and the hard work has paid off, as it is now the template for various privacy regulations rolling out around the world. Though there have been stumbling blocks around implementation costs and the still work-in-progress question of consent frameworks, we can thank GDPR for a more transparent data ecosystem that gives consumers control over their information and holds companies accountable for its misuse.

“But as robust as GDPR has been, it has not been able to keep up with the breakneck progression of generative AI, which has further compounded concerns of data provenance and usage rights. The complexity of the cookie era is a drop in the ocean compared to the sheer scale of data swallowed by machine learning models, along with the dire consequences of the unchecked internal biases and “hallucinations” these models can produce. With so much at stake, we cannot afford for a “GDPR for AI” to take as long at the drawing board as GDPR did.”

Lucia Mastromauro, UK Managing Director, Acceleration, A WPP Company

“The GDPR changed marketers’ relationship with data; AI is rebuilding it for the better.

“GDPR set a good base and much needed standards for privacy in the digital advertising industry, meaning the established players had to evolve significant parts of their solutions to operate within aprivacy-first paradigm. Now new AI capabilities have supercharged industry players and enabled marketers to take advantage of privacy-centred solutions at scale.

“Data modelling powered by machine learning, for instance, can plug the gaps left by limited data collection, while predictive AI can use businesses’ historical and observable data to forecast customer behaviours. With these capabilities, marketers are able to make even more impactful, data-driven decisions that boost a business’ bottom line. Responding to GDPR has been somewhat painful at times, but a highly positive journey as a whole, and it will be exciting to see how AI will continue shaping the industry’s approach to upholding data privacy.”

Pierre Naggar, Sales Director, MINT, UK

“Five years on, GDPR has radically changed the way consumers think about how their data is collected and used, bringing data privacy into the cultural conversation. As a result they have also become more aware of their data protection rights.

“In this sense, it has been tremendously effective. Marketers, however, are yet to reach such a revelation. Prior to GDPR, when audience data was free and at scale, there was a flourishing of audience-related platforms. Since GDPR enforced a much stronger approach to accountability of the data controller and user privacy and targeting, marketers are struggling with an array of proposed privacy solutions that are still in flux. This is partly due to the fact that marketers are hoping to find an alternative with the same targeting precision they have been used to with third-party cookies and a wealth of audience data.

“The privacy-first era of digital marketing heralded by GDPR is no longer driven by user identification. Savvy marketers should focus on unlocking the value of troves of under-utilised campaign data which is completely accessible through non-cookie based, privacy-friendly methods. This will allow them to build advertising equity, providing the means to achieve better data governance and greater awareness of how to utilise it, while respecting the fundamental rights and freedoms of consumers, attain actionable insights and future-proof company growth.”

Chris Hogg, Chief Revenue Office, Lotame

“There’s no denying the positive impact that the EU’s landmark legislation has had on accountability in the digital ecosystem. The difficulty now is getting the word out that it’s safer than ever to tap into third-party data, a vital source of knowledge that has been sidelined by the post-GDPR, first-party data goldrush.

“The maturity of the privacy-first data market in Europe makes it well positioned to handle complex questions being raised over the provenance and ownership of data used by generative AI. Regulators are already matching bark with bite — as seen in the temporary ban of ChatGPT in Italy — and I expect there will be a AI legislation taking shape by the year’s end.”

Daniel Pike, Chief Product Officer at Covatic

“By setting a benchmark in any discussion around privacy guidance, the GDPR has inspired other legislation with comparable concepts and definitions – such as the CCPA and proposed American Data Privacy and Protection Act in the US – to protect against the same harms. It has also propelled companies to invest and innovate in privacy-enhancing technologies, meeting the expectations of consumers, who have become more aware of their rights when it comes to data privacy and its potential issues.

“However, there seems to be a growing sense of complacency around data privacy in some areas, fuelled perhaps by a perception that enforcement will only apply to the most egregious of breaches. Five years on, businesses, large and small, must continue to value the protections afforded by the GDPR – and be prepared for future changes, as legislation evolves and adapts to changing culture, mindsets, and dynamics.

“Moving forward, we’ll likely see privacy credentials becoming a competitive differentiator, as companies recognise the importance of going above and beyond what is required by current legislation; raising public awareness, resetting norms and expectations, and creating space for further protections.”

Lorna Handley, VP, General Counsel, InfoSum

Looking back

“Looking back over the last five years, it’s fair to say the GDPR has had a significant impact and embedded a culture of privacy by design. The GDPR has increased attention on the use of personal data, not just in the EU but worldwide. More and more organisations are taking the initiative to improve their data collection processes, rather than risk a large fine and, more importantly, their reputation. Equally, we continue to see legislators in other jurisdictions follow suit and focus on the protection of personal data.

“Despite this movement, enforcement actions against big tech players have shone a light on issues such as transparency and the legal basis for processing personal data, particularly in relation to online behavioural advertising. Furthermore, harmonisation remains a challenge. We still see differing interpretations by regulators across the EU, and the number and level of fines have varied between member states.”

Looking ahead

“Looking ahead to the next five years, one of the major challenges to privacy regulation is likely to come from the new wave of artificial intelligence technology. While the GDPR is principle-based legislation and should be flexible enough to adapt to new technologies and their applications, it will be interesting to see how regulators respond.

“Globally, the growing strength and scope of data protection regulation, combined with increasing awareness and concern among consumers about how their personal data is used, will see more countries outside the EU making data protection a primary focus over the next few years. The UK is likely to diverge away from the GDPR as it seeks to achieve greater autonomy from the EU; however, inevitably, this must be balanced with ensuring UK businesses can still operate effectively in European jurisdictions. In the US, the current patchwork of state-by-state regulation is presenting challenges, making it one to watch.”