The EU’s GDPR Turns 6 – What Can We Expect Now?

On May 25, 2024, the European Union’s General Data Protection Regulation (“GDPR”) turned six, marking an interesting first few years of the law’s impact on global businesses. When the GDPR went into effect in 2018, it made huge waves across industries collecting and processing personal data from individuals within the EU. In short, it changed the way most, if not all, jurisdictions approach privacy, and made privacy a top business priority.

As we reflect on the past six years, there are some key take-aways for businesses to help prepare for the coming months and years of global privacy.

Privacy Is Here, and It is Not Going Anywhere

Ten years ago, privacy was a strategic initiative in key industries, such as healthcare and finance. But, outside of certain regulated industries, privacy was mostly a side consideration. This is no longer the case as many businesses are struggling with a rapid increase in new privacy laws and obligations that extend across all industries.

What does this mean for business? Privacy needs to become part of the overall business strategy. Determining the customized strategy for privacy should be a top priority this year and in the coming years. Not all privacy laws impact businesses the same: the key is to create customized solutions that address your businesses data needs and corresponding privacy law requirements.

Privacy is a Cross-Departmental Challenge

Privacy is not a technical challenge, nor is it a legal challenge. Privacy law follows data, and data flows into every aspect of businesses. That means that privacy is a whole business challenge. And, therefore, requires that businesses create cross-departmental teams, incorporating operations, finance, human resources, IT, legal, and executive management.

The Adoption of Privacy Law continues to grow across the Globe

In the last six years, numerous jurisdictions have adopted GDPR-like privacy laws and a number have revamped their existing privacy laws to more closely align with the GDPR-approach to privacy protections. [IAPP Identifying global privacy laws, relevant DPAs] ( The IAPP reports a 17 country increase in the number of countries that maintain a privacy law. Just in the US, as of May 2024, there are 17 states that have adopted a comprehensive privacy law that will go into effect over the next three years.

With the adoption of so many new, or updated, privacy laws, there are increasing complexities in cross-jurisdictional privacy requirements. Businesses should focus on creating strong privacy program foundations that can be tweaked or revised as needed for these new laws. Unfortunately, privacy presents a lot of gray areas, and not many black and white ways to address data governance. However, there are opportunities to leverage decades-old foundational privacy principles to better prepare the business for a dynamic era of privacy laws.

Stay Informed and Open to Changes

As we head into year 6 of the GDPR, businesses need to recognize that privacy law is very fluid. Trying to create an approach that doesn’t require on-going review and management is not sustainable. Instead, businesses need to embrace privacy as a core aspect of their on-going business operations and corresponding risk management. Privacy is not going away, so starting sooner rather than later can result in long-term savings for businesses trying to tackle a complex area of the law.

To contact us today to learn more, please visit About Us.

*Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.*
Written on May 25, 2024