Eight Years of GDPR. Did Anything Actually Change?
I started writing this post in the summer of 2018, about two months after GDPR came into force. Life got in the way and I never finished it. Reading it back now, what strikes me is not how much has changed. It is how much has not.
So let me finish what I started, with the benefit of eight years of evidence behind me.
Where we were
In July 2018, the dust was settling on what had been, for many organisations, a frantic few months of privacy notice rewrites, consent email campaigns, and hastily appointed Data Protection Officers. The world had not imploded. We were all still here. The question I was asking at the time was whether any of it had made a real difference, or whether organisations had simply updated their paperwork and moved on.
For those of us who had been doing a reasonable job of complying with the Data Protection Act 1998, GDPR felt less like a revolution and more like a tightening of screws that should already have been tight. The principles were not new. What changed was the accountability, the documentation requirements, and the consequences for getting it wrong.
What I noticed in those early months was telling. Organisations had updated their privacy notices and some had appointed DPOs, but many of those privacy notices still did not tell you who the third parties processing your data actually were. That was not a minor oversight. Under GDPR, a data controller is responsible for knowing exactly what its processors are doing with shared data, how they are processing it, and whether they are passing it further down the chain to their own third parties.
The Facebook and Cambridge Analytica story, still fresh in 2018, had made exactly this point in the most public way possible. A data controller that does not know what its third parties are doing with shared data is not compliant, regardless of what the privacy notice says.
Cloud infrastructure added another layer to this. AWS and Azure are not liable for data breaches unless the breach originates in their infrastructure. With IaaS, the data controller retains responsibility. Many organisations had moved workloads to the cloud without fully thinking through what that meant for their compliance obligations. Not knowing where your data is going, or who has access to it, is itself a compliance failure. That was true in 2018 and it is even more true now given how much further cloud adoption has gone in the years since.
Where we are now
Eight years on, those same challenges have not gone away. They have scaled.
The first thing to clarify for a UK audience is that we no longer have GDPR. We have UK GDPR, a distinct piece of legislation that came into effect when the UK left the EU. It has recently been amended by the Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and began its phased commencement in February 2026. It is worth being clear about what that Act does and does not do. It does not replace UK GDPR. It makes targeted amendments, simplifying some rules, clarifying others, and introducing a new recognised legitimate interests lawful basis for certain defined processing activities. There are also changes to automated decision making rules, new requirements around children’s services, and organisations must now have a formal internal complaint handling process when individuals exercise their data rights. The ICO itself has been renamed the Information Commission under the Act.
What the DUAA notably does not do is the sweeping reform that the previous government had attempted through the Data Protection and Digital Information Bill, which fell when Parliament was dissolved ahead of the 2024 general election. There had been genuine concern that those proposals could have put the UK’s EU adequacy decision at risk. The current government took a more measured approach, and the UK remains adequate under EU GDPR for now. For organisations operating across both the UK and EU, the two regimes are beginning to diverge in some areas and that is worth watching carefully as the DUAA continues to be commenced through 2026.
Beyond the UK and EU, the global picture has shifted considerably since 2018. GDPR acted as a template that others followed. Brazil introduced the LGPD. Canada strengthened its framework. India passed its Digital Personal Data Protection Act. And China introduced the Personal Information Protection Law in 2021. When China has a data protection regulation, it tells you something about where the world has landed on data governance as a baseline expectation rather than a differentiator.
The United States remains the notable exception. Without a federal framework, the US relies on a patchwork of state level laws. California led with CCPA and others have followed in various forms. The result is compliance complexity for any organisation operating across state lines, which is exactly the friction that a coherent national framework would resolve. It has not happened yet.
The question that has not changed
Here is what eight years of evidence tells me. The organisations that struggled with GDPR in 2018 were not struggling because the regulation was too complex. They were struggling because they had never built the habits, the governance structures, or the culture that genuine data protection requires. The regulation gave them a deadline. It did not give them the foundations.
Those foundations are still missing in a lot of places. Consent is still used as a legal basis when it is not appropriate. Third party data flows are still not fully mapped. Privacy notices still describe what organisations wish were true rather than what is actually happening. DPOs are still in some cases appointed as a box ticking exercise rather than given genuine authority.
The regulation changed. The underlying behaviours, in too many organisations, did not.
In a world where data is the most valuable asset most organisations hold, and where the regulatory landscape is only going to get more complex as more jurisdictions develop their own frameworks, that is a problem that does not get easier to ignore.
The question I was asking in 2018 was whether anyone was taking this seriously enough. Eight years on, I am still asking the very same question.