Confused about these GDPR 10-year anniversary posts in May 2026? While I have been working on it for a decade, I’m not keen on May 2016 (entry into force) but rather May 2018, when the GDPR became *applicable*, even more than April 2016, when it was *adopted*.
Why?
Before May 2018:
– Enforcement of data protection rules didn’t really happen (outside of specific outsiders, like the Netherlands and their rules on data breach reporting);
– GDPR compliance was just something organisations were working towards (not all to the same degree), with a timeframe for what we called “GDPR readiness”;
– Everyone was a “GDPR expert”;
– Guidance was limited, as the supervisory authorities themselves were trying to figure out what the new rules would mean. Some of the most significant Article 29 Working Party guidelines on the GDPR only came towards the end of 2017.
After May 2018, a lot changed. For instance: enforcement started (some will claim “not enough”, others “too focussed on A/B/C”), EU data protection litigation became a big thing (there were a handful of cases beforehand, but just look at how many CJEU cases there are per year now, and the difference is obvious), even companies that are less “data-intensive” began having extremely capable in-house experts in the field
and the complexity of the topics we help our clients handle is *far* greater than that of the discussions we had in 2017-2019 (and that’s not just because of seniority issues)
25 May 2018 – that’s the date everyone got drilled into them. That’s when the rules became applicable and went from being soft aspirational objectives to hard, enforceable requirements.
So let me wish the GDPR a happy 8th applicability anniversary.
Could this 9th year of applicability be the year where any of these occur?
– We restore balance to the force – er, EU Charter. (As someone who has been called “Darth Craddock”, allow me this bad pun)
The CJEU’s recent confirmation of the importance of the freedom to conduct a business was refreshing – see https://lnkd.in/eSiP3yBV
– We finally move the GDPR and ePrivacy needle towards proportionate and pragmatic enforcement and interpretations, recognising that ivory tower positions do not enable compliance but make it much harder (illustration: excessive EDPB/EDPS interpretation of “personal data”).
– We see more harmonisation and less “me first!” enforcement – and a better framework (whether through law, practice or case law) for EDPB decision-making – including as regards the legal value of “Guidelines” and “Recommendations” and the degree to which they are binding by law or in fact).
– Within the community of data protection professionals, we show that we *can* have civilised debates (= without name-calling and personal attacks) and without perpetuating echo chambers, especially at larger conferences.
Perhaps that means also arranging a few boxing matches – but that’s where everyone learns the most.
I know I’ll try to contribute – will you?
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗