The arrival of the General Data Protection Regulation (GDPR) in May 2018 feels like a lifetime ago.  Privacy advocates hailed it as a new dawn in protecting customer privacy, and businesses of all sizes began to look for experts to help them stay on the right side of the new regulatory requirements.

Fortuitously, this was also the year HewardMills launched its Data Protection Officer services in London. Within its first year, it supported numerous businesses in implementing stronger data protection and privacy processes and over the last five years has seen rising demand for its services lead to opening offices in Dublin, Zurich, Singapore, Accra, Berlin and San Francisco.

Without a doubt, GDPR has played a critical role in shaping data privacy by empowering individuals, demanding accountability and transparency from companies, and strengthening data breach notification requirements. It has also significantly spearheaded the global adoption of similar privacy regulations.

Let’s remind ourselves of its key benefits and how it has impacted data protection and privacy globally.

Enhanced data rights for individuals

The GDPR has entrenched the rights of individuals regarding their personal data. It introduced enhanced rights such as the right to be informed, right of access, right to rectification, right to erasure (“right to be forgotten”), right to data portability, and the right to object.

Global Influence and Adoption

The GDPR has had a global influence on data protection laws and practices, inspiring many countries and regions to develop or update their own privacy regulations. For example, California passed the California Consumer Privacy Act (CCPA) in 2018, and the European Union has recognised the adequacy of data protection laws in several countries outside the EU.

Increased Accountability and Transparency

Businesses must provide clear and easily understandable privacy notices, obtain valid consent for data processing, and establish lawful bases for processing personal data. Organisations are also required to implement privacy by design and conduct data protection impact assessments to assess and mitigate privacy risks.

Stricter Data Breach Notifications

Mandatory data breach notification now mean organisations are obligated to report certain types of personal data breaches to relevant authorities within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Additionally, individuals must be notified if there is a high risk to their rights and freedoms due to a data breach.

Increased Enforcement

Non-compliance is costly for businesses, leading to fines of up to 4% of their global annual turnover or €20 million (whichever is higher) for the most severe violations. This has encouraged businesses to take data protection more seriously and invest in adequate security measures to avoid substantial financial consequences.

Continuing to safeguard human rights and data dignity worldwide

The effects of the implementation of GDPR have been significant and continue to shape the way organisations handle personal data to ensure greater protection and respect for individuals’ data protection and privacy rights. These benefits have collectively contributed to a more privacy-centric approach to data handling, benefiting both individuals and organisations.

It’s been an incredible journey of growth in the EU and UK data protection and privacy space. At the same time as jurisdictions worldwide have reviewed, revamped, and reinvigorated their regulations to foster a better environment of trust and transparency between organisations and their employees and customers.

Our right to data dignity must be safeguarded in the same way we enshrine the rights of other protected characteristics.

Our mission, as a global DPO, is to continue to partner with organisations to be more accountable, transparent, and proactive in safeguarding individual privacy and protecting personal data over the next 5 years and beyond.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at