Scroll down

What the GDPR changed 2 years after coming into force

Matthieu Mugnier |

Two years ago, on May 25, 2018, the General Data Protection Regulation (GDPR) came into force. This is an opportunity for us to focus on this text which aims to change the habits of digital players, while the issues surrounding the protection and processing of personal data are set to become even more important.


This European regulation has been designed to meet the challenges related to rapidly changing technologies and data fragmentation within the European Union. Its objective is to strengthen the rights of individuals and make the organizations which process data more responsible by standardizing the framework for such processing. The definition of personal data has long remained unclear.

The European Directive 95/46/EC, which constituted until May 25, 2018 (the day of entry into force of the GDPR) the reference text for the protection of personal data, defines it as follows: any information concerning an identified or identifiable legal person, whether directly or indirectly, constitutes personal data. The GDPR clarifies this definition by giving examples of indirect identification such as location data or genetic data. It means that the possibility of identifying a person via an IP address, email address or cookies is covered by the GDPR.

Therefore, the GDPR is designed to give a framework for the collection and computing of this personal data. More specifically, the end user has more visibility and a right to control the use of his data, as well as a right to be forgotten. As for the data controller, it has to be more careful with the user data processing, otherwise it is liable for any physical or moral damage resulting from the violation of the GDPR.


Companies of all industries are therefore subject to the application of the GDPR. First of all, they must secure the personal data they process by preventing their disclosure or hacking. If a violation of personal data is detected, it must be reported within 72 hours to the country’s competent body and the user must be notified as soon as possible.

Companies must also guarantee the user’s consent when they collect his personal data, hence the more and more intrusive pop-ups inviting us to accept the cookie policy when we open a website. Finally, the scope of the GDPR extends to data processing of all users located in the territory of the European Union, regardless of whether the data controller is established in the European Union or not and regardless of the location of processing.


However, many companies do not comply with the GDPR despite the financial and human resources dedicated to the implementation of the regulation, including the creation of new positions such as Data Protection Officer (DPO). It took a long time for companies to adapt and for some the work is still in progress.

Although some companies are struggling to comply with the regulation due to a lack of resources, of understanding of the compliance principles or because of their strategy, all the players have played along – strengthening the framework for personal data processing – and the regulation has put an end to many abusive practices. Besides, some companies have started communicating more about their use of personal data and are now using it as a real marketing argument.

The implementation of these rules can also change the user experience. With the right to be forgotten, for example, an artificial intelligence algorithm will use personal data over a shorter period of time or with more advanced anonymization techniques. Moreover, the regulation have represented an opportunity for some to clearly define the chain of personal data processing and implement more virtuous processing chains.


If users are more and more eager for transparency on the use of their personal data, the implementation of the GDPR within organizations is only at a very early stage, even though the European text has already had a major impact, both positive and negative: many companies have played along and complied with the constraints related to this regulation while others have been fined.

In the end, the major changes encourage us to go further. Indeed, Europe is now a model in terms of personal data protection, so some states such as Japan or Brazil have naturally followed Europe’s lead with the ratification of texts inspired by the GDPR; an initiative encouraged by the technology giants who have called for the globalization of these good practices.

Finally, other texts within the European Union to consolidate our legislation on our personal data protection are already under consideration: the ePrivacy Regulation, which should soon come into force, will aim to strengthen the protection of citizens’ online privacy.