Skip to main content
RGPD

GDPR: A decade since its approval and challenges for the future

The General Data Protection Regulation (GDPR) is celebrating its anniversary. The leading European standard on privacy is marking its first decade.

Although it was approved in 2016, the GDPR has been mandatory throughout the European Union since May 25, 2018.

What is the GDPR?

The GDPR is the EU regulation that governs how individuals, companies, organizations and public bodies must process the personal data of citizens residing in the EU.

The GDPR applies to all processing (whether automated or manual) of personal data of people residing in the European Union carried out by individuals, public administrations, organizations or companies based in the EU or outside (if they offer services to Europeans).

Therefore, the GDPR protects natural persons (not legal persons) in activities involving the processing of their personal data.

A decade of GDPR in review

In these 10 years, the GDPR has achieved major milestones:

  • Global reference point (“the Brussels Effect”):

More than 120 countries (from California to Brazil or Japan) have passed privacy laws inspired by the GDPR, creating a common global language for the data economy.

This regulatory convergence facilitates international trade; since, by harmonizing standards, technical barriers to international transfers are reduced.

  • Awareness:

Data protection is no longer a niche issue; companies have integrated Privacy by Design as an operational standard.

Beyond legal compliance, privacy has become a strategic asset and a competitive differentiator. Organizations that demonstrate strong ethical practices in data handling not only avoid penalties but also strengthen their brand reputation and build loyalty among increasingly demanding users who respect their digital sovereignty.

  • Sanctioning power:

Non-compliance has a real cost; administrative fines can reach up to 20 million euros or 4% of the total annual turnover of the previous year (whichever is higher applies).

We’ve gone from symbolic warnings to fines multimillionaires to large companies. For example: Meta and Amazon have received historic sanctions for lack of transparency and invalid legal bases.

GDPR versus Digital Omnibus

The Digital Omnibus is a legislative package presented by the European Commission, in November 2025, and which is currently in the debate and adoption phase.

The Digital Omnibus aims to simplify the digital regulations that have emerged in the last 10 years: the GDPR, the Artificial Intelligence Act, the NIS2 Directive and the Data Act.

While the GDPR remains the guardian of our rights, the Digital Omnibus is the tool that attempts to modernize those rights so that they do not become obsolete in the face of Artificial Intelligence and so that companies do not drown in bureaucracy.

However, bodies such as the European Data Protection Board (EDPB) have warned that this simplification should not be used as an excuse to lower our guard in protecting privacy; the desire to simplify in order to be competitive should not weaken fundamental rights.

The debate is open: Is Omnibus Digital making the GDPR “easier” to comply with? Or is Omnibus Digital making the GDPR “weaker”? We’ll have the answer in the near future.

Challenges that the GDPR will have to face

  • Artificial Intelligence, with the challenge ethical and moral implications that it entails (and which we already analysed in a previous post):

The biggest challenge of the GDPR is coexistence with the AI ​​Act.

The difficulty lies in applying principles such as data minimization or the right to be forgotten in massive language models that have already learned from information.

Interaction with the new AI Regulation is forcing companies to conduct joint risk assessments.

  • Consent fatigue and Dark Patterns:

After years of cookie “consent fatigue”, European authorities are cracking down hard on Dark Patterns (deceptive designs that force the user to accept tracking).

It is expected that, by the end of 2026, automated privacy management systems will be consolidated in browsers.

  • Geopolitics and International Transfers:

The stability of data flows to third countries (especially the US and China) remains fragile.

Despite successive privacy frameworks, state surveillance in third countries remains out of step with European standards.

The challenge is to create a secure data flow standard that is not dependent on political fluctuations.

Author: Sandra Santiago, Lawyer.

If you need help writing Data Protection regulations, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.     Consent.
    Recipients
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
    Rights
    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
    Further information
    See the Privacy Policy.

    Do you want to stay up to date on all legal news?

    Subscribe to our newsletter for news, articles, and events.

    subscribe
    Us
    Services
     
    cipp certification
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.