Seven lessons from seven years of the GDPR

Businesses often operate beyond EU borders – with processes, workforce, and technology spanning across continents. Transfer rules for personal data in terms of the GDPR evolve constantly, as seen through the rules on personal data transfers to the US. It is essential for executives to understand such rules, as transfer restrictions may jeopardise whole business operations, or result into consequential fines, such as Facebook’s €1.2 billion penalty in 2024.

So, how can you ensure that data transfers comply with the applicable rules? First, it is important to map all transfers carried out by the organisation to third countries or international organisations (ideally, in the organisation’s record of processing activities) to understand the extent of the processing activity’s geographical footprint. Second, the business must choose an appropriate safeguard in terms of Chapter V of the GDPR and update the relevant documentation (such as contractual clauses and transfer impact assessments). Adopting a proactive compliance approach should provide added confidence and a sustainable framework to manage data transfers. 

The requirements of the GDPR often boil down to proportionality, specifically the balance between the safeguards in place and the risks associated with the processing of personal data. Whether the decision relates to notifying a personal data breach, implementing a new technology, or appointing a Data Protection Officer (DPO), businesses are often required to make such decisions based on their risk appetite coupled with their own interpretation of the regulatory provisions. Regardless of the path chosen, adequate documentation is crucial to provide an audit trail for such decisions.

In April 2025, Malta’s Information and Data Protection Commissioner (‘IDPC’) published its decision (CDP/COMP/282/2024) regarding the unlawful processing of personal data by a local healthcare provider under data protection law. The controller was materially fined for inter alia not having appointed a DPO, which further corroborates the importance of having adequate documentation to support regulatory decisions taken by the organisation.  

Moreover, with the rise of data-driven business models, personal data is often repurposed for driving customer personalisation and retention strategies. Demonstrating good data governance measures – namely being transparent about the purpose and legal basis in terms of the GDPR behind each personal data use – should help organisations maintain stakeholder trust more easily in these data-rich environments.

With a myriad of relationships, processes and interdependencies between organisations, the lines of responsibility and liability in terms of the GDPR are often blurred. As a reminder, the controller remains ultimately accountable for the processing carried out by its processors and sub-processors (unless the processor has not complied with obligations of the GDPR specifically directed to processors or has acted outside or contrary to lawful instructions of the controller). This has been clarified notably by the Court of Justice of the European Union (‘CJEU’) in Case C-683/21, where the Lithuanian National Public Health Centre appointed an IT service provider to build a Covid-19 application. The CJEU argued that the fact that the public health centre did not process personal data and that there was no contractual agreement between the parties did not preclude them from being classified as controller in terms of the GDPR. Indeed, the person that exerts influence, for its own purposes, over the determination of the purpose and means of processing should be regarded as the controller.  

For better decision-making, executives should be equipped with the full picture of regulatory risks and should understand who would bear the brunt of the blow in their various relationships, be it with their suppliers, cloud providers, franchisors and any other external service provider.  
 

Having a digital presence is often a crucial sales strategy for many organisations, given today’s hyperconnected audiences. However, compliance leaders often overlook the data protection aspects of using cookies and similar tracking technologies. The CJEU has previously established the link between the ePrivacy Directive, which governs the use of such technologies, with the regime of consent under the GDPR, in the ‘Planet49’ case. Accordingly, businesses must obtain freely given, specific, and informed consent from website visitors before deploying non-essential cookies (such as advertising and analytics ones). As pointed out in the GDPR, ‘pre-ticked boxes or inactivity should not therefore constitute consent’.

Oversight from regulators has scaled up around website and cookie compliance. Last year, the French supervisory authority (CNIL) fined Yahoo EMEA Limited €10 million for placing non-essential cookies on the users’ devices without their consent. Various data protection authorities such as the EDPB, Bavaria’s supervisory authority, and the UK’s Information Commissioner’s Office have established taskforces to investigate the compliance status of cookie banners across the web.

According to PwC’s 2025 Global Digital Trust Insights Survey, the average data breach exceeds US$3M in costs. With growing reliance on cloud, AI and connected devices, the threat landscape is shifting constantly – and organisations need to have an agile approach to cybersecurity to be prepared. The above survey has also found that organisations do not feel fully confident in facing top-of-mind threats: for instance, while 35% of executive leaders are most concerned about third-party breaches, 28% feel their organisation is least prepared to address such breach. 

The gap highlights the need for further investments and stronger response capabilities. In terms of the GDPR, businesses have strict timeframes for notifying breaches to the authorities. Failing to respect such timeframes or implement adequate security measures can result in significant fines. Training the workforce regularly on how to respond to a breach, and developing adequate incident playbooks and documentation, are essential steps to ensure preparedness and maintaining business continuity.

The European regulatory landscape is becoming increasingly complex, and compliance costs are on the rise for many businesses. In recent years, we saw the coming into force of other significant legislations such as the EU AI Act, the Digital Operational Resilience Act (DORA), and the Digital Services Act. Interestingly, there are several themes which can apply horizontally – for instance, incident reporting obligations under DORA and the EU AI Act can also prompt personal data breach notifications in terms of the GDPR. Core domains such as transparency, risk management, and data governance are also present across these laws. 

Regulatory authorities are also recognising the overlap between the different laws (see for example the EDPB’s opinion on the data protection aspects of processing personal data in AI models), hence oversight and other regulatory efforts are expected to pick up pace in the coming months. 

How can organisations navigate this new reality? Business leaders must support measures which can accelerate their compliance function, such as the use of technology and reliable data for better insights and proactively consider new and emerging risk areas.