Celebrating 7 years of the GDPR: What’s next?

May 23, 2025

What have we learned since the GDPR’s inception?

Once viewed as a compliance checklist, the GDPR has been a catalyst for cultural and strategic change. Public awareness around privacy has grown significantly, and organisations now recognise data protection as central to trust, brand value, and long-term resilience. It has also set a global benchmark, prompting countries worldwide to rethink the scope and ambition of their own data laws.

Michael Wallace, DPO reflects on the principles-based approach:

‘Principle-based laws don’t give black and white rules but rather offer broad standards that require interpretation. That flexibility is helpful for organisations, giving them room to adapt, but when clear yes/no answers are required, the lack of specificity has sometimes created confusion or legal uncertainty.’

Pascal Bodang, DPO and Netherlands Pod Leader adds how the GDPR has been a powerful reminder that regulation can drive positive change:

‘Initially seen as a burden, or a ‘big stick’, it has brought greater structure, awareness, and accountability to the way personal dataInformation which relates to an identified or identifiable natural person. is managed. More importantly, it has helped businesses reframe privacy—not as a box-ticking exercise, but as a strategic advantage, where trust and transparency are valuable assets.’

Can the GDPR keep pace with AI technologies and big data?

AI systems are evolving fast and often rely on vast datasets that challenge the GDPR’s principles around transparency, purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected., and data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing.. As models become more complex, so do challenges for organisations operating in the EU that need to comply with additional regulations.

‘AI systems that processA series of actions or steps taken in order to achieve a particular end. EU personal data are still subject to the GDPR and they must also meet the requirements of the AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU.. There’s significant overlap between the two and strong data protection practices often support AI compliance. It’s not a choice between complying with one or the other—both are essential.’ David Smith, DPO and AI Sector Lead

What does the UK’s DUA Bill mean for GDPR?

The Data (Use and Access) Bill proposes key updates to the current UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. framework and has sparked much debate as it moves through Parliament. It is presented as a simplification to support businesses and innovation, although privacy experts are cautious about whether it could risk weakening individual protections and jeopardise the UK’s adequacy status with the EU.

‘From a DPO’s perspective, the biggest concern isn’t just divergence—it’s fragmentation. For multinationals, two regimes with similar names but different thresholds mean double the complexity, not half the burden. The UK’s push for clarity and flexibility is welcome but watering down core data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling. could backfire if it weakens public confidence or undermines interoperability with the EU.’ Roberta Ferrara, DPO

Is the GDPR equipped for the future?

The GDPR was designed as a principles-based framework, intended to be flexible and adaptable across different technologies and use cases. But despite this, many privacy professionals believe it needs clearer, more consistent guidance to remain effective, especially as new technologies emerge and complexity grows in highly regulated sectors.

Lawrence Carter, DPO and Life Sciences Sector Lead highlights the main issue to date is the GDPR hasn’t supported a model for issuing secondary legislation to codify complex issues:

‘Life Sciences organisations, in particular, face ongoing challenges in certain areas, including selecting the correct lawful basis for clinical trials, pseudonymisation, and international data transfers. Guidance from the EDPB and rulings from the CJEU are, at times, inconsistent, contradictory, and not uniformly interpreted across Member States, leading to a patchwork of jurisdictional exceptions rather than harmonisation and regulatory certainty. Introducing a mechanism to formally clarify and update the GDPR could offer greater consistency and confidence for organisations navigating high-risk processing.’

What data protection trends do you foresee in the next few years?

Data protection is already being shaped by emerging technologies and over the coming years this is likely to continue, bringing new challenges for organisations as they work to keep up. As regulations evolve and public awareness grows further, trust will become a crucial factor. Organisations that can demonstrate responsible and transparent data practices with be better placed to meet regulatory expectations, strengthen customer relationships and confidently embrace innovation.

For Paul Collier, DPO and Pod Leader, the most significant shifts lie in the growing influence of AI, the expansion of IoT, and the regulatory response to both:

‘As AI and connected devices become more integrated into everyday life, we’ll see increasing pressure on organisations to ensure transparency around automated decision-making and embed privacy by design as standard. We should also expect sharper regulatory focus on biometrics and health data, particularly as Life Sciences adopt more personalised, data-driven tools. And with technologies like quantum computing on the horizon, we’ll need to ask whether today’s data laws are agile enough to handle what’s coming.’

Shane Gohill, DPO and Tech and Security Sector Lead agrees that a proactive, tech-forward approach will be essential:

‘Privacy-enhancing technologies (PETS) will become more accessible to businesses and widely understood across industries, which will enable organisations to extract maximum value from their data while minimising privacy risks.’

As the GDPR moves into its eighth year, data protection is no longer just about compliance. With AI, regulatory divergences and growing public expectations, the organisations that will thrive are those that treat privacy as a strategic priority, built-in, visible, and always evolving.

Stay informed on the latest data protection news impacting the UK, Europe and North America—sign up to our fortnightly newsletter, The DPIA.