GDPR five years on: Industry leaders share their comments


It’s been five years since the GDPR – the General Data Protection Regulation – was implemented by the European Parliament.

Designed to enhance the rights of individual citizens in our increasingly digital world, they have changed the landscape for the use of personal data.

A lot has happened since 2018, so where are we with it after five years? We asked our industry leaders for their take on the GDPR…

Laura_DochertyLaura Docherty, Director of Governance, Risk & Compliance Go Inspire Group

“GDPR was hailed as a new era in privacy and data protection legislation. Five years on, individuals better understand the value of their data and their rights concerning how, where, and when data is used.

“In turn, individuals have greater privacy expectations from companies.

“Businesses have upped their privacy game in response; needing to maintain the trust of their valued customers.

“With constant new and emerging technologies, like facial recognition and the rise of AI powered tools such as ChatGPT, it will be interesting to see whether GDPR can keep up with the ever-changing privacy landscape we are currently in.

Piero-PavonePiero Pavone, CEO, Preciso

“I’m sure we can all remember the sudden flurry of GDPR notices that sprung up five years ago.

It felt like Armageddon. But disruption can be a good thing, and certainly, the tide keeps turning in the direction of privacy.

“The regulations were conceived to address the genuine concerns of consumers and while precision targeting is still possible, it requires more creativity. There’s no escaping the need to be compliant when it comes to personal data.

“To do anything else is lazy.

“In this post-GDPR world, change keeps coming thick and fast, and embracing and growing from necessary change requires flexibility and a willingness to let go of old ways of operating.

“This is no bad thing: As technology continues to evolve at breakneck speed, it is creative thinkers and innovative practitioners that will win.”

Dmitry SverdlikDmitry Sverdlik, CEO, Xenoss

“GDPR has propelled adtech innovation, leading to the rapid adoption of privacy-enhancing solutions like universal IDs, identity graphs, and data clean rooms.

“These advancements enable secure collaboration and leverage valuable first-party data. GDPR has pushed the industry to find the delicate balance between privacy and effective advertising, replacing deprecating ad IDs such as cookies and MAIDs.

“Retail media has emerged as a powerful avenue, allowing advertisers to salvage retargeting efforts and tap into valuable first-party data through partnerships with retailers.

“GDPR’s influence will continue to drive the evolution of the advertising industry, reshaping how advertisers engage with consumers.”

Per-hultman-walrPer Hultman, Head of IT Ops, Walr

“GDPR has made substantial progress in protecting personal data and raising privacy awareness. However, challenges remain in ensuring consistent implementation across borders and addressing emerging technologies, such as AI.

“Balancing privacy with innovation is a delicate task. GDPR could be improved by enhancing transparency, simplifying compliance, and making cross-border data transfers a breeze.

“The future will likely bring stricter regulations, increased enforcement, and greater harmonisation worldwide.

“Adapting to evolving technologies such as AI, managing data transfers outside the EU, and maintaining public trust will be key in shaping data protection frameworks going forward.”

Costas-michaliaCostas Michalia, Strategy and Innovation Director, Fiora

“GDPR has made significant strides, although not without challenges.

Small businesses struggle to comply due to resource constraints, whilst enforcement inconsistencies across the EU cause confusion.

“High-profile cases of non-compliance underscore the regulatory teeth of GDPR.

“The potential for individuals to monetise their data elevates the importance of GDPR regulations. Blockchain could enhance personal data control and security, giving individuals control over their data accessibility.

“Theoretically, it could also allow individuals to directly monetise their data. However, blockchain’s immutability conflicts with GDPR’s “right to be forgotten,” wherein individuals may request data erasure.

“Despite mixed public opinion and hurdles, the growing value of personal data underscores GDPR’s role in shaping a future of mutually beneficial co-existence.”

Chris-Hogg-EMEA-Managing-Director-LotameChris Hogg, Chief Revenue Office, Lotame

“There’s no denying the positive impact that the EU’s landmark legislation has had on accountability in the digital ecosystem.

“The difficulty now is getting the word out that it’s safer than ever to tap into third-party data, a vital source of knowledge that has been sidelined by the post-GDPR, first-party data goldrush.

“The maturity of the privacy-first data market in Europe makes it well positioned to handle complex questions being raised over the provenance and ownership of data used by generative AI.

“Regulators are already matching bark with bite — as seen in the temporary ban of ChatGPT in Italy — and I expect there will be a AI legislation taking shape by the year’s end.”

dan-pike-covaticDaniel Pike, Chief Product Officer, Covatic

“By setting a benchmark in any discussion around privacy guidance, the GDPR has inspired other legislation with comparable concepts and definitions – such as the CCPA and proposed American Data Privacy and Protection Act in the US – to protect against the same harms.

“It has also propelled companies to invest and innovate in privacy-enhancing technologies, meeting the expectations of consumers, who have become more aware of their rights when it comes to data privacy and its potential issues.

“However, there seems to be a growing sense of complacency around data privacy in some areas, fuelled perhaps by a perception that enforcement will only apply to the most egregious of breaches.

“Five years on, businesses, large and small, must continue to value the protections afforded by the GDPR – and be prepared for future changes, as legislation evolves and adapts to changing culture, mindsets, and dynamics.

“Moving forward, we’ll likely see privacy credentials becoming a competitive differentiator, as companies recognise the importance of going above and beyond what is required by current legislation; raising public awareness, resetting norms and expectations, and creating space for further protections.”

Paul Coggins, AdludioPaul Coggins, CEO, Adludio

“On the day when Ireland’s Data Protection Committee issued a £1bn fine to Meta under GDPR law, it’s clear that the bodies responsible for GDPR’s implementation are eager to show they are serious about consumers’ privacy rights.

“GDPR has undoubtedly been beneficial to consumers – forcing a reappraisal of what it means to have one’s rights protected online, it has helped to change adtech for the better. However it is not without its flaws.

“For example, the need for nearly every business to have a Data Protection Officer has added costs to businesses already struggling in a weak economy.

“Moreover, the lack of one set of rules globally means that every business has to be adept at understanding different rules in different locales.

“In addition, the seemingly mad rush following Brexit for further changes in the UK is only going to add further costs and confusion.”

Husna-GrimesHusna Grimes, VP Global Privacy, Permutive

“The GDPR certainly brought privacy into the mainstream. We are now starting to see a growing shift towards publisher direct-sold campaigns versus open marketplace.

“Publishers retain control over their own first-party data and there is less risk of exposure to downstream ad tech vendors.

“Having a direct relationship with end users means publishers can be more transparent with advertisers about how data is used for online advertising purposes, and ultimately give individuals more control over their own data.

“That’s not to say that it has been plain sailing. Post Brexit, the UK is, to the most part, still aligned with the EU GDPR but it remains to be seen what the impact of the proposed UK data reforms will be on this.

“With further challenges to international data transfers in the Schrems II decision bringing Standard Contractual Clauses into question as a valid lawful transfer mechanism, there is still much to learn.

“Discussions for a new framework are ongoing but we can likely expect more uncertainty and legal challenges when this is finalised.

“Much more can be done when it comes to GDPR. There needs to be more support for small to medium sized companies when it comes to compliance.

“A global standard for data transfers would help to remove the uncertainty currently faced by companies seeking to transfer their data across borders.

“More regulatory guidance and a consistent approach across Europe and the UK would help to reduce the compliance burden on companies operating in multiple regions.

“Finally, the UK government needs to ensure that any changes made to the UK’s data protection framework do not impact the current free flow of data between the UK and the EU afforded by the UK’s adequacy decision.”

Luke-Fenney-LiveRampLuke Fenney, VP Addressability, Europe, LiveRamp

“Data is at the centre of today’s connected world, so it was no surprise regulations like GDPR were introduced to protect privacy.

“As an industry, we came together to find standards, and five years on from GDPR coming into play, we’re still seeing those standards continue to evolve, such as the new version of the Transparency and Consent Framework.

“At the same time, decisions made by the industry giants have created major shifts for both marketers and publishers – such as App Tracking Transparency and Google’s recent announcement that it will stick to its timeline of deprecating third-party cookies in Chrome in 2024.

“While first-party data strategies and identity solutions were created independently of GDPR, they’ve since become instrumental for companies to navigate the landscape.

“Critically, these solutions, such as enhanced clean rooms, help to power compliant and safe data collaboration, without surrendering access control or the data itself.

“Given the importance of compliance, companies cannot get this wrong – working with the right partners is, and will continue to be, essential for meeting privacy regulations.”

tom-ollerton-automated-creativeTom Ollerton, Founder, Automated Creative

“Five years on, GDPR has managed to create an ‘everyone loses’ scenario. We all remember the widespread panic and sudden flurry of pop ups that hit our screens back in May 2018. Sadly, these haven’t stopped since.

“Despite the best intentions, these ill-conceived regulations have resulted in poorly targeted brand communications, with consumers on the receiving end of (even) worse ads whilst having to live with unhelpful pop ups on every website they visit. Who hasn’t swiped one away, without reading it?

“Targeted ads and personalised user experience is no bad thing, and while GDPR has stamped out some data abuse, it has also stamped out a number of creative advertising possibilities for brands and improved experiences for consumers.

“I can think of no better example of the law of unintended consequences.”

todd-rose-inmobiTodd Rose, SVP Identity Solutions, InMobi

“GDPR is intended to return power over personal data to the consumer, which is the rightful place.

“However, despite its best intentions, GDPR imposes an enormous amount of complexity and hurdles for compliance on businesses, coupled with onerous penalties for non-compliance by virtue of the private right of action embedded in the law.

“Rather than being a protective mechanism for consumers, GDPR is being viewed as  more of a cudgel that stifles innovation and competition.

“Penalties are disproportionate to the risks faced by consumers associated with non-compliant use of their data and because of it, 34% of global digital businesses have reduced or ceased operations in the EU.

“For GDPR to better meet its intended objectives, EU regulators should consider clarifying and removing ambiguity from GDPR legislation to make it more accessible and easier for businesses to understand and comply with its regulations. Implement penalties and enforcement mechanisms that are “more proportional to the crime”.

“And finally, promote harmonisation and consistency in interpretation and enforcement of GDPR across different European Union member states to avoid fragmented approaches that can create additional challenges for businesses operating across borders.