Five Years Of The GDPR ' A Five Point Reflection

• Jurisdiction: European Union
• Law Firm: Gowling WLG
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Class Actions
• Author: Ms Helen Davenport, Jocelyn S. Paulley and Louise Macdonald
• Published date: 29 May 2023

The behemoth of EU data protection legislation - the General Data Protection Regulation ("GDPR") - was implemented into UK law five years ago today, on 25th May 2018. Although an EU instrument, the GDPR imposes obligations on organisations anywhere in the world if they offer goods or services to or monitor people in the EU. It applies directly in the UK following the UK's departure from the EU in 2020, and is supplemented by the Data Protection Act 2018 ("DPA").

Whilst the law itself has not changed since 2018 (although it looks set to, see "Looking ahead" below), our understanding of the implementation and implications of UK GDPR and the DPA have developed significantly over the last five years, since those initial projects to prepare for the 2018 legislation coming into force.

We had many questions over what to expect, so now, five years on from its implementation, we ask ourselves, has perception and reality of the GDPR changed?

1. Transparency and GDPR 2.0

A key objective of the regulators when creating GDPR was to create transparency of processing and trust between controllers and data subjects. Those objectives manifested themselves in the requirement to create documentation (policies, privacy notice, records of processing), the carrying out of risk assessments (Data Protection Impact Assessments (DPIAs) and Legitimate Interest Assessments (LIAs)), the number of data subject rights and governance within an organisation.

Much of this was first-perceived as daunting but over the past half-decade, we have seen a paradigm shift in data handling practices across every single industry in the UK (and in other jurisdictions), with organisations reinventing their data protection practices and frameworks and finding pragmatic solutions to make the law a reality. Privacy notices are taken seriously and time is invested to ensure they are accurate and complete. DPIAs are conducted not just where mandated, but (in many organisations) for any project that involves significant processing of data. The role of the Data Protection Officer, both mandated and voluntary, has become commonplace, with many in that role undertaking external qualifications.

After the first wave of creation of policy-level documentation, we have observed a second wave of compliance where organisations have realised that a one-time GDPR project does not maintain privacy compliance. Theoretical statements in policies are, over time, being turned into process-level documentation for teams in organisations to follow - colloquially known as "GDPR v 2.0". Particularly in areas like data subject rights requests, vendor due diligence and breach escalation, we have seen organisations create practical step-by-step instructions for teams to set out very clearly what to do in those situations.

2. Controller-to-controller (C2C) and joint controller data sharing

GDPR contained no specific requirements where controllers shared data (unlike the contractual requirements for controller-to-processor ("C2P") sharing and no GDPR implementation projects included any diligence on C2C sharing. However, the Information Commissioner's Office ("ICO") produced the statutory...