.svg)
In 2018, a single law changed the global conversation (and global practices) around data privacy.
The General Data Protection Regulation (GDPR) strengthened European rules around how personal information should be handled, who gets to control it, and what transparency means in the digital age. For the first time, users had clear rights over their data, and companies faced real consequences for violating them.
Before the GDPR, consent was mostly an afterthought. After its implementation, the GDPR has reshaped how businesses operate, inspired laws around the world, and helped make privacy a top priority for companies and consumers alike.
Seven years on, the GDPR remains one of the most influential and effective privacy laws in the world. But the digital landscape it helped redefine is changing fast. And so is the law itself.
Didomi explains how we got here with the GDPR, where things currently stand from a compliance standpoint, and what changes may be on the horizon.
Disclaimer: This article does not constitute legal advice. Make sure to consult with your DPO and legal department to ensure your compliance with GDPR and other data privacy regulations.
How we got here: A brief history of the GDPR
The GDPR changed commercial privacy practices virtually overnight when it went into effect on May 25, 2018. But it didn’t appear overnight. It was the result of decades of European policymaking aimed at reconciling technological innovation with the right to privacy.
The story of the GDPR begins in 1981, when the Council of Europe introduced Convention 108, the world’s first binding international agreement on data protection, just as personal computing was beginning to take hold.
In 1995, the European Union passed the Data Protection Directive, which defined basic privacy rules but gave member states broad discretion in how to implement them. The result was a fragmented system, difficult for individuals to navigate and companies to follow, especially as email, e-commerce, and early internet services like Yahoo! and AOL went mainstream.
By the start of the 21st century, data was flowing faster and farther than ever before. The EU adopted the Charter of Fundamental Rights in 2000, explicitly recognizing both privacy and data protection as core human rights—just as Google was indexing the web, Facebook was preparing to launch, and online behavioral tracking was quietly becoming the norm. In 2009, the Treaty of Lisbon gave the Charter full legal force, turning those principles into enforceable constitutional law across the EU.
But by the 2010s, it was clear the system was straining. The smartphone era brought near-constant data generation. Cloud platforms enabled mass storage of personal information. Social media, mobile apps, and real-time ad auctions turned consent into a checkbox that was often buried in legalese. At the same time, high-profile incidents like the Snowden revelations and growing concerns over data brokers and surveillance capitalism exposed just how little control people had over their personal information.
The European Commission began working on a full overhaul with the goal of producing a single, unified regulation that would close the enforcement gaps, strengthen individual rights, and hold companies accountable—no matter where they operated. After years of negotiation, the GDPR was adopted in 2016 and became enforceable across all EU member states on May 25, 2018.
In the years since, the GDPR has become a gold standard for privacy legislation all over the world. Countries from Brazil to Japan to India to the United States have adopted GDPR-inspired frameworks, while companies have built consent banners, preference centers, and data export tools into their products as they look to turn privacy compliance challenges into successful business opportunities.
Seven years of GDPR have reshaped how we think about privacy, not just in Europe, but around the world (...) GDPR sparked a global movement towards privacy-preserving data practices, and we're proud to be part of it every step of the way.
- Romain Gauthier, CEO and co-founder at Didomi
However, gold can tarnish over time. Although GDPR’s comprehensive approach and emphasis on individual rights have made it a benchmark for data protection, the regulation faces fresh questions from new technologies like AI, biometrics, connected devices, and digital identities that make it less clear what data is “personal” and what is not. Seven years into the GDPR experiment, the next chapter of the game-changing law is already being written.
One law, many countries
Unlike the directive it replaced, the GDPR is a regulation, meaning it applies uniformly across the EU without the need for national legislation. However, despite the law’s cross-bloc uniformity, it's not applied or enforced the same way everywhere.
The GDPR operates through a decentralized enforcement model wherein each EU member state has its own Data Protection Authority (DPA). These national regulators are independent public bodies tasked with:
- Overseeing compliance
- Handling complaints
- Investigating violations
- Issuing fines and corrective actions
In other words, while GDPR law is unified across the EU, enforcement is decentralized. The European Data Protection Board (EDPB) helps harmonize decisions and resolve disputes, but national regulators still have wide discretion over how they investigate and penalize violations. That’s why enforcement can look very different from one country to another, even under the same law.
For companies operating across multiple EU countries, a concept known as the “one-stop-shop” mechanism applies.
When a cross-border issue arises, this mechanism designates a lead authority based on where a company has its main EU presence. That regulator then coordinates enforcement with other affected DPAs across the bloc.
For example, a tech company headquartered in Ireland but serving users across the EU typically falls under the Irish Data Protection Commission. Meanwhile, a French retailer would report to France’s CNIL, and a Czech SaaS startup might deal with the ÚOOÚ.
But many smaller companies, particularly those based outside of the EU, don’t have a European headquarters. Instead, they fall under the jurisdiction of whichever DPA receives a complaint or flags a potential violation. That can mean multiple points of exposure, inconsistent expectations, and enforcement from a country your company may have never set foot in.
Uneven enforcement
In theory, the GDPR’s “one law, many countries” structure ensures consistent application of the law. Under GDPR, rules are the same (things like access rights, consent standards, breach notification, and cross-border compliance). But in reality, its application and priorities can look very different depending on where your data subjects live—or where your company is considered to be "established."
Some countries focus on volume over scale, issuing hundreds of lower-value penalties to encourage better day-to-day compliance. Others pursue fewer, higher-stakes cases. And many DPAs prioritize guidance and cooperation over penalties when a company demonstrates a good-faith effort to comply.
Through the first seven years of the GDPR, enforcement has produced more than 2,200 fines totaing €5.6 billion, according to CMS Enforcement Tracker data. That’s an average fine of €2.36 million. Yet enforcement activity varies dramatically by country. For example:
- Ireland has issued only a few dozen fines—but they include some of the largest in history, mostly targeting Big Tech platforms headquartered there.
- Spain, by contrast, has issued more than 980 fines, focusing on volume over size—many directed at smaller businesses and public sector entities.
- Countries like Hungary, the Netherlands, and Slovakia have varied widely in both activity and penalty amounts.
These variations, which stem from factors that include varied enforcement philosophies, resourcing levels, and national legal cultures, can create legal gray zones and multi-jurisdictional compliance challenges for organizations, despite the supposed “uniformity” of the GDPR among EU nations.
For small businesses, the result is a mix of uncertainty and uneven expectations. It may not always be clear who your lead authority is, which rules apply where, or how enforcement will play out if something goes wrong.
Big Tech vs. small businesses: Two different enforcement realities
At first glance, the GDPR applies equally to everyone. Whether you’re a tech giant with millions of users or a regional SaaS company serving European clients from abroad, the core rules are the same: obtain valid consent, respect users’ rights, secure personal data, and have a clear legal basis for processing it.
Look deeper at GDPR’s enforcement history, however, and it becomes clear that how and why companies are fined frequently comes down to their size, structure, and visibility.
Massive GDPR fines, such as those levied against U.S. tech giants Meta (€1.2B), Amazon (€746M), TikTok (€345M), and Google (€150M), dominate headlines, but they represent just a fraction of total enforcement actions. Many regulators have issued hundreds of smaller fines that target small-and-midsize businesses (SMBs).
SMBs are more likely to face enforcement for relatively routine compliance errors such as:
- Misconfigured or missing cookie banners
- Incomplete privacy policies
- Ignored or delayed access/deletion requests
- Lack of a Data Protection Officer (when one is required)
- Storing too much data for too long without legal justification
These are visible, measurable issues that DPAs can audit quickly, typically in response to individual complaints (e.g., a customer who can’t get their data deleted may file a report, triggering a DPA investigation). Because these violations are easier to spot and quicker to document, they make up a large share of GDPR enforcement actions.
Big Tech companies, on the other hand, tend to attract scrutiny for complex, systemic issues:
- Cross-border data transfers
- Behavioral advertising practices
- Algorithmic profiling and tracking
- Biometric data collection
- AI-driven personalization without valid consent
These types of issues generally require multi-jurisdictional cooperation and long technical investigations. Consequently, enforcement against larger platforms tends to take longer and end in bigger, more delayed penalties. It's not necessarily that these companies are held to a different standard, but rather that the scale and sophistication of their data operations make enforcement more resource-intensive.
The result? A dual-track enforcement pattern:
- Big fines for Big Tech, years in the making
- Frequent, smaller fines for SMBs, focused on immediate violations
GDPR harmonization, then, is something of a misnomer. Despite the “one law, many countries” design and intention, the reality for small businesses operating in the EU, whether physically or remotely, can be complex and confusing. And with GDPR penalties reaching 2% to 4% of a company's global annual revenue, simply trying to do the right thing may not be enough.
Your business doesn’t need to be big or engaged in widespread privacy violations to get caught up in GDPR enforcement. You just need to get something wrong—once. To avoid being caught in the enforcement crosshairs, the challenge for most businesses is therefore twofold:
- Knowing when you're subject to the GDPR (even if you're not based in Europe)
- Navigating enforcement risks that can depend (in part) on where your users live and which DPA gets involved
What the GDPR covers today and how it affects your business
From the perspective of data subjects, the GDPR is relatively simple. Seven years after it came into effect, the law’s core mission remains the same: to give more people control over their personal data and ensure that organizations treat that data responsibly.
But what this entails for your business can feel anything but simple. Terms like “controller,” “processor,” “legitimate interests,” and “automated processing” can alone make compliance a challenge, to say nothing of the steps needed to actually comply. Below, we give you a practical, (mostly) jargon-free breakdown of how the GDP works—and how to remain on the good side of European data subjects and DPAs.
Whose data is protected?
The GDPR protects the personal data of any individual located in the EU, regardless of their citizenship.
- Your business doesn’t need to be based in the EU to fall under the law.
- You don’t need to sell directly to EU consumers. Just collecting email addresses from EU-based visitors may trigger obligations.
If your company offers goods or services to people in the EU, or monitors their behavior online (e.g., analytics, advertising, cookies, cross-site tracking), you are almost certainly subject to the GDPR.
Even if you don’t know exactly where your users are, using EU-focused language, currencies, shipping options, or domain extensions (.eu) can be enough to count as "targeting" under the law.
Who must comply with GDPR (and how to tell)
Not sure whether the GDPR applies to your business? Here are a few filters you can apply to your operations to make that determination:
What rights do users have under the GDPR in 2025?
At its heart, the GDPR is about empowering individuals with clear, enforceable rights over their data. As a business, your job is to enable these rights and respond within set timeframes.
Here’s what your EU users can expect:
To reiterate: these basic rights that make up the core of the GDPR can get forgotten in favor of the sorts of headline-grabbing issues that lead to billion-Euro judgments. DPAs have issued millions in fines to companies that failed to fulfill access or erasure requests, sometimes simply because they didn’t respond on time or didn’t have the right workflows in place.
And these are just the administrative fines. GDPR Article 82 gives data subjects the right to seek compensation from organizations that cause them material or non-material damage as a result of a GDPR violation.
Know the law (and your stack)
GDPR compliance is a legal challenge that, in the context of day-to-day business functioning, is perhaps better viewed as an operational one. For example, you might be using systems like:
- Google Analytics, Stripe, or HubSpot to manage customer data
- Meta Pixel or LinkedIn tags for retargeting
- Intercom, Drift, or Zendesk for user support
If you are, then data is flowing between multiple systems and vendors. And under GDPR, you, as the organization utilizing these services, are responsible for ensuring that all links in that data processing chain are compliant with the regulation. This includes the vendors you engage to process personal data on your behalf. You’ll need to:
- Know where your data is stored and processed
- Maintain a record of processing activities (yes, even as an SMB in many cases)
- Vet and contractually manage your processors
- Offer easy, transparent mechanisms for users to manage their consent and preferences
- Implement a workflow for receiving and responding to user requests
The GDPR requires in Article 25 for data protection to be integrated into the designs of systems, services, and products from the outset, rather than as an add-on or afterthought, a core privacy concept known as “privacy by design and default.”
It might sound like another wonky privacy term, but the concept helps to inform more “future-proof” compliance solutions that are not just about checking boxes, but about making privacy a part of your infrastructure, your messaging, and your user experience (and your business model) from the very beginning.
What’s next for the GDPR in 2025?
Keeping the GDPR concurrent with the technology-based practices it was designed to regulate is no small task.
Technology continues to evolve at breakneck speed. And to some extent, the GDPR is a victim of its own success. It made individuals more aware of how their data is used and the rights they have regarding their personal information, leading to a rise in data privacy consciousness and stronger consumer demands for data protections. While the GDPR-based European regulatory model does not have the same decentralized, multi-jurisdictional issues as the United States, the GDPR, in practice, can make it feel like navigating many different laws and regulatory regimes, with different tracks for different-sized businesses.
Seven years after its introduction, being GDPR-compliant still feels like chasing a moving target. The growing calls for simplification reflect not just regulatory fatigue, but a deeper realisation: the balance between legal rigor and operational reality is harder than expected. As we look ahead, the risk is that simplification becomes a cover for erosion of protections.
- Thomas Adhumeau, Chief Privacy Officer at Didomi
Critics have also argued that the GDPR is anti-competitive because its complex compliance requirements disproportionately burden small businesses and startups, which make up around 95% of all businesses, and give large tech companies, who can more easily absorb the costs, an advantage in today’s digital economy.
Along the seven-year road of the GDPR, reform efforts have focused on smoothing out some of these bumps, such as harmonizing certain procedural parts of the law that had minor variance across state authorities (e.g., handling complaints, cooperative actions, clarifying individual rights in complaints, etc.). The European Council and the European Parliament reached agreement in June 2025 on one such effort.
To date, these sorts of updates have primarily focused on clarifying the original GDPR text rather than making substantive changes to the law. There are signs, however, that bigger changes may be afoot with the introduction of the “Omnibus Simplification Package”, a way to “reduce administrative burdens,” EU politicians say by, among other measures, reducing record-keeping requirements for SMBs. Such changes are being considered to “create an environment friendly to new business and developing technology,” says the Electronic Privacy Information Center.
According to the IAPP, “The one-size-fits-all approach was heavily criticized during GDPR negotiations and led to some marginal adjustments in the final text.” EU officials frame the possible GDPR amendments as a way to “boost Europe’s competitiveness and long-term prosperity.” They recognize that SMBs having to meet the exact same compliance obligations as large companies can create a competitive disadvantage for smaller businesses and startups that hurts economic growth.
The exact proposal under consideration would:
- Extend the GDPR exemption for maintaining records of processing activities from businesses with fewer than 250 employees to those with up to 750 employees.
- Require record-keeping only when processing is “likely to result in high risk”, such as AI profiling, biometric data, or health information.
- Possibly eliminate the Data Protection Officer obligation for some SMBs.
These proposed changes would reportedly help to save companies an estimated €66 million annually through reduced administrative burden. Other GDPR reforms that have been floated recently include:
Tiered, risk-Based compliance framework
MEP Axel Voss and NOYB’s Max Schrems have discussed a multi-layered GDPR approach that could consist of:
- Layer 1: A lightweight “mini-GDPR” for ~90% of businesses—fewer transparency obligations and no requirement for a DPO
- Layer 2: Full GDPR for businesses processing sensitive data or operating at scale
- Layer 3: “GDPR Plus” rules for large platforms—extra oversight and mandatory audits
EDPB strategy 2024–2027
A leading stakeholder in guiding the future of data protection, in Europe and beyond, the EDPB has identified the following strategic priorities through 2027:
- Promote harmonization and encourage proactive compliance
- Strengthen a common enforcement culture
- Address data protection challenges from emerging tech and regulatory overlap
- Advance the global privacy dialogue.
Didomi helps businesses stay prepared for whatever comes next
GDPR is a living instrument rooted in strong privacy principles, like privacy by design and default, that are meant to evolve alongside the data collection processes they regulate. But given the speed of technological change and the emergence of transformative technologies like AI, privacy laws can struggle to keep up and are often a lagging indicator of what's to come next.
Still, European lawmakers aren’t standing pat. The GDPR changes they’re proposing might ultimately benefit businesses in Europe and abroad. Yet they could also add another layer of complexity, and new obligations, on top of an already-convoluted set of compliance burdens. In a world where privacy regulation doesn’t stand still, your business can’t afford to stand still, either.
We may not know which GDPR changes will be implemented and which will flounder in committees, whether businesses will actually get a regulatory break, or greater harmonization will emerge. But what’s certain is the data privacy movement the GDPR set into motion rolls along, and as the digital and regulatory landscapes shift and new expectations emerge, staying flexible and trustworthy will be more important than ever.
Being prepared for what comes next in privacy law involves using a flexible, robust compliance system capable of automatically adapting to new requirements, wherever and whenever they apply. To discuss your data privacy and compliance challenges andseewhether we can help, book a call with our team of experts:
{{talk-to-an-expert}}
.jpeg)
.avif.avif){kind=tracking}
