The impacts of GDPR on global organizations after 6 years of implementation

The impacts of GDPR on global organizations after 6 years of implementation

Three years since our first update on GDPR deployment effects on global organizations and businesses, this May 25, 2024, marked 6 years of the official effective date of the General Data Protection Regulation (“GDPR”), a pivotal regulation on information and data protection and privacy implemented by the European Union. GDPR was adopted to protect the fundamental rights and freedoms of persons and, in particular, their right to the protection of their private data, GDPR creates a great impact not only in the European Union and the European Economic area but also in the world because of its extraterritorial effect and influence in emerging regulations in other territories.

Any business dealing with the EU market needs to consider these principles set by the GDPR leading to the mass adoption of compliance systems/policies, which is often cited as an example of the “Brussels effect”.

Impacts of GDPR on foreign regulations

After the enforcement of the GDPR, many countries also adopted their own personal data protection laws modeled from the GDPR. Some big markets include:

  • Brazil’s Lei Geral de Proteçao de Dados in 2020 was modeled directly after GDPR;
  • China’s Personal Information Protection Law in 2021;
  • Japan’s Act on the Protection of Personal Information in 2003 has been updated and amended several times. After its issuance of supplementary legislation to enhance its data protection, in 2019, Japan became the first Asian country to be granted adequacy status by the European Commission;
  • The United Kingdom’s Data Protection Act 2018, which is the UK’s implementation of the GDPR;
  • The United States does not have its federal data protection law, but several states have their own regulations, such as:
    • California’s Consumer Privacy Act in 2020;
    • Virginia’s Consumer Privacy Act in 2021;
    • Colorado’s Privacy Act in 2021.
  • India’s Digital Personal Data Protection Act in 2023.

GDPR global adoption - Brussels effect

According to statistics from the United Nations Conference on Trade and Development, 71% of countries worldwide have legislation to secure the protection of data and privacy. 

Positive influence of GDPR regulations consumers and businesses

GDPR raised awareness of personal data privacy for the subject it aims to protect: humans. Some notable statistics such as:

  • 61% of people in countries with data protection laws felt those laws have positive impacts (Cisco).
  • 67% of Europeans are familiar with the GDPR (Enterprise App Today).
  • 62% of UK consumers are more comfortable sharing their data after the data protection law (Persona).
  • 81% of Americans say the potential risks they face from companies collecting data outweigh the benefits (Pew Research Center).  
  • 63% of global consumers think most companies aren’t transparent about how their data is used, while 48% have stopped buying from a company or using a service due to privacy concerns (Tableau).

As a result, GDPR helps to strengthen the protection of personal data by pushing for the adoption of privacy systems by businesses or organizations, 78% of US companies have conducted a GDPR gap assessment and updated their privacy notices, and 27% of companies spent over half a million dollars to become GDPR compliance (Persona), which helps them to prevent such big fine that can reach up to 4% of the total worldwide annual turnover of the preceding financial year. Some grand GDPR fines and penalties of 2023 are Meta Platforms Ireland Ltd. of 1.2 billion euros, TikTok Ltd. of 345 million euros, Spotify of 4.9 million euros, Total Energies Electricité et Gaz France of 1 million euros.

GDPR fines

Simultaneously, businesses or organizations are also benefiting from this trend. According to a study by the University of Maryland, on average, every 39 seconds, there is a hacking attack on computers with Internet access, and the global average cost of a data breach in 2023 was 4.45 million USD (IBM cost of data breach report 2023). By integrating security policies, businesses/organizations prevent their data from being hacked, which can cost them a fortune, 40% of organizations have seen positive returns on their privacy investments (Persona), in other studies, only 17.7% of the respondents who are marketing executives and decision-makers from European Economic Area said that GDPR compliance has negative effects on their businesses (Piwik). Very early when GDPR regulation was deployed we understood this was a pivotal change impacting all businesses and decided to structure an in-house legal team to create and evolve global compliance and security offer to global organizations deploying our Cloud Captive Portal service in multiple countries and legal environments.

Overview of challenges caused by GDPR regulations implementation

One of the biggest challenges is the cost of compliance for businesses of all sizes. The investment in installing a true framework to respect GDPR compliance requirements, especially for small and medium businesses (“SMEs”) is high. According to a PwC report, 88% of respondents spend more than 1 million dollars to maintain GDPR compliance, and 40% spend more than 10 million dollars. Subsequently, while global enterprises can afford such investment, it is a lot more challenging for SMEs. This could lead to unfair competition. While large enterprises could collect data easily as they have compliance procedures in place and eventually utilize those data for their businesses, SMEs will need to get money to invest in those expensive compliance processes first.

On the other hand, many ambiguities and interpretations are still challenging for businesses/organizations to achieve their compliance obligations. Moreover, although the GDPR established a cooperation mechanism for authorities to resolve data protection issues together, most still depend on their national administrative procedures, which results in discrepancies and difficulties in GDPR enforcement. A study in 2022 by the Data Protection Law Scholars Network for Access Now showed that data subjects across the EU do not have an equal right to lodge a complaint under the GDPR as each authority applies different practices to resolve complaints.

What to expect next for GDPR updates and amendments

In order to amplify the positive impacts of the GDPR and to amend its negative sides, the EU commission has made several efforts which include the issuance of the Digital Market Act and the Digital Services Act. These two acts have two main goals:

The first one is to to create a safer digital space in which the fundamental rights of all users of digital services are protected

And the second is to establish a level playing field that fosters innovation, growth, and competitiveness in the European Single Market and globally.

The Digital Market Act was adopted in 2022 and became applicable in 2023, it establishes obligations for gatekeepers, who are large digital platforms providing any of a pre-defined set of digital services (‘core platform services’), such as online search engines, or app stores.

The Digital Services Act becomes effective in 2023 and will apply to all platforms in 2024, it governs the content moderation practices of social media platforms and addresses illegal content by introducing new obligations for online intermediaries and platforms such as marketplaces or social networks. 

In July 2023, the EU Commission proposed new regulation for procedural rules to standardize and streamline cooperation between data protection authorities of EU member states when enforcing the GDPR in cross-border cases, which will help to increase the efficiency and harmonization of cross-border GDPR enforcement action.

On the other hand, with the aim to create a single European data space, there is the EU Data Governance Act which became applicable in 2023, stipulates the processes and structures to facilitate data sharing by companies, individuals, and the public sector, and its complementary Data Act, which will become applicable in 2025, defines the rights to access and use data generated in the EU across all economic sectors and makes it easier to share data, in particular industrial data.

Recently, the Council of the EU approved the EU Artificial Intelligence Act, the first of its kind in the world. This act aims to foster the development of safe and trustworthy AI systems across the EU’s single market by both private and public sectors. Although it will come into force 20 days after its publication, most of its provisions will not take effect until 2 years later. With its potentially great impacts, it should be closely monitored.

These regulations are the results of the initiatives led by the European Commission's First Evaluation Report on the GDPR in 2020. The EC is expected to issue the Second Report this year, which could potentially lead to more initiatives relating to data protection. This may lead to a follow-up article on on blog as we believe it is our role and responsibility to monitor and act upon data privacy law evolution not only in EU but globally. If you are planning to evaluate your Wi-Fi captive portal compliance and security you can request our Worldwide Guest Wi-Fi Compliance report from here.

Related articles
GDPR and cookie consent: What can you still collect?
2 Years of GDPR compliance: Navigating a Data Protected World
Brexit and GDPR: Do the companies in the UK still need to comply?
All articles