GDPR Year 5: Review & What’s Next for Businesses

Celebrating five years of the General Data Protection Regulation (GDPR), this article delves into a detailed review of the key developments and trends over the past year.  I also look ahead, offering insights into what businesses can anticipate for GDPR in the coming year.

Here are some snippets of the last twelve months of GDPR and my predictions for the coming year:

1. After € 1.2 bn fine against Meta, data transfer issues are becoming big: I start my review from the last event of the year, the massive GDPR fine issued against Meta on data transfers.  As I covered in the article HERE, I expect an adequacy decision on data transfers to the US will be achieved sooner rather than later, but there is a high risk of a Schrems 3 case.  Businesses can only adopt a defensive approach by performing transfer impact assessments with a methodology recognized by the market as DLA Piper Transfer Methodology;
2. After the Garante’s action against ChatGPT, the agreed measures are likely to become a benchmark for Generative Artificial Intelligence: The decision of the Italian data protection authority to urgently limit the data processing of Italian individuals by Open AI through ChatGPT was in the headlines during the last months.  The undertakings agreed upon between the Garante, and Open AI will likely become a minimum compliance threshold for Generative AI models, as I covered in the article HERE.  The upcoming final approval of the EU AI Act will urge any business that is willing to exploit generative artificial intelligence to go through a long list to ensure compliance;
3. GDPR fines for telemarketing and behavioral advertising will place this topic at the center of the radar of data protection authorities: The GDPR fine against Meta on the performance of behavioral advertising without an appropriate legal basis that I covered HERE, together with the hefty fines for unlawful telemarketing issued by the Garante and other privacy authorities in the last years make the proper management of a CRM the backbone of the data protection compliance strategy of any business.  The recently approved Italian Code of Conduct on Telemarketing covered HERE gives valuable instructions on ensuring compliance.  But the obligations are burdensome and hard to comply with;
4. With the approval of DORA and NIS2, cybersecurity compliance is no longer just a data protection law issue: During the last days of 2022, the EU quickly approved the DORA regulation, which is going to have a massive impact on the cybersecurity obligations of banks, financial institutions, insurance companies, and crypto providers covered HERE and the NIS2 Directive that considerably broadens the scope of cybersecurity obligations as covered HERE, introducing much stricter obligations if compared to NIS1.  Businesses must understand that cybersecurity is not just a question of technological investments but a matter of compliance that needs to be proven.
5. With the increase of ransomware cyber attacks, cyber risk is becoming unmanageable: The number of ransomware attacks that hit large and medium-sized corporations during the last twelve months was impressive.  Businesses can face GDPR fines, have all their operations frozen, and face large claims because of the recently reformed EU class actions that strongly empowered individuals?  In this scenario, running cyber due diligence that covers technical and legal compliance at the time of acquisition and during operations is becoming exponentially crucial.  Directors might face liabilities if they do not do such assessments and if they don’t take action once it is done.  I covered the topic in the article HERE, emphasizing how a cyber insurance policy is paramount.

The above topics are the first ones that came to my mind on the impact of the GDPR on businesses after its 5th year; what are yours?