Dotdigital blog

GDPR: Five years on and what have we learned?

GDPR implementation has brought about a transformative impact on the digital landscape.
Marketers learning about GDPR principles and compliance.

It’s been five years since the General Data Protection Regulation (GDPR) took effect. The law has transformed how organizations handle personal data and has had a lasting impact on businesses around the world. With GDPR having reached a significant milestone, it’s a perfect time to pause and reflect on the valuable lessons we’ve learned. We can also reflect on how it has shaped data protection practices globally.

What is GDPR?

GDPR is a data protection law introduced by the European Union (EU) to safeguard EU citizens’ privacy and personal data. 

Implemented on 25 May 2018, GDPR is a data protection law that ensures individuals have increased control over their personal information. The regulation has also hammered home the importance of transparency in how businesses collect, use, and store user data.

To comply with GDPR, organizations must get permission before using personal and customer data. This can be done by including a consent clause in the terms and conditions during the sign-up process. We’ve seen some hefty fines handed out for GDPR non-compliance and lack of transparency.

Key developments since GDPR

Here are some of the key developments in data protection since GDPR was implemented: 

Increase in data privacy expectations and awareness

GDPR has raised consumer awareness about data privacy and personal data rights. Consumers now demand transparency, accountability, and ethical data practices from organizations, expecting them to handle their personal information responsibly. 

Consumers are no longer willing to compromise their privacy and are more likely to support businesses that align with their values and prioritize data protection. Failure to prioritize data privacy can harm a company’s reputation and reduce consumer trust.

To thrive in today’s data-driven landscape, companies must have a privacy-driven approach and be responsible marketers. This means meeting regulatory responsibilities and putting the customer at the center of everything you do. By managing these expectations, businesses can build lasting customer relationships and gain a competitive edge. 

Data collection and cookies death

GDPR has impacted the digital ecosystem and data collection, especially with the decline of cookie-based tracking. Cookies are small text files that store information about browsing habits and preferences. They can be useful for remembering login details or personalizing online experiences. Now, websites must inform visitors about cookies and seek permission before placing them on devices.

Due to the growing demand for privacy protection, leading companies like Google are responding by phasing out third-party cookies. Essentially the shift in consumer attitudes thanks to GDPR makes old-school cookie-based tracking methods a thing of the past.

National data protection authorities (DPA)

GDPR has brought about notable changes in data protection enforcement in the EU. All EU members have a national data protection authority (DPA). They enforce compliance and handle data breach notifications.

Notably, DPAs have not shied away from imposing substantial fines and penalties on organizations found violating GDPR. These enforcement actions serve as a strong deterrent and send a clear message that non-compliance with data protection regulations will not be tolerated. 

In addition to enforcement efforts, DPAs have also taken a proactive approach by offering guidance and support to organizations. This includes the publication of guidelines, frequently asked questions, and best practice recommendations to assist businesses with GDPR compliance.

Data breach reporting

GDPR has changed the game for data breach reporting. With a strict 72-hour time frame organizations must act swiftly. Organizations are responsible for communicating breaches to their customers if personal data has been compromised. 

Several big companies, such as British Airways, Boots, and the BBC, have suffered cyber security attacks that led to employee personal data exposure. AT&T also experienced a breach in March, affecting 9 million customers. The breach compromised customers’ first names, wireless account numbers, phone numbers, and email addresses.

It has become evident through recent data breaches that companies must clearly outline the nature of the breach. They must address it, and offer advice on safeguarding against future risks.

California Consumer Privacy Act (CCPA)

While reflecting on GDPR, we cannot ignore its undeniable impact on data privacy laws around the world. The CCPA is an example of GDPR’s impact, which took effect on January 1, 2023. The law grants Californian consumers new rights and control over their personal information. The law draws considerable inspiration from GDPR and echoes similar principles aimed at safeguarding user privacy. Even though the law primarily affects businesses in California, it has broader implications across America and around the world.


Brexit has significant impacts on data privacy and protection. Post-Brexit, businesses have faced uncertainties and challenges in complying with UK GDPR regulations. The UK GDPR regulations are basically the UK’s version of the European Union’s GDPR but with some differentiations made after Brexit. They’re all about how personal data should be handled, stored, and kept safe in the UK. These rules exist to protect people’s privacy and give them more control over their own personal information. If companies transfer data between the EU and the UK they must comply with both EU GDPR and UK GDPR regulations.

GDPR today—where are we now?

Since its inception, GDPR has reshaped the way organizations handle personal data, impacted businesses, and changed how marketers work.

Social media

In today’s digital age, data privacy and security online are more important than ever. Mishandling sensitive information can have severe consequences, as demonstrated by Meta’s recent GDPR breach. The tech giant received the biggest ever fine of €1.2 billion from Ireland’s Data Protection Commission (DPC) which enforces personal data protection standards. This was for transferring EU users’ data to the United States without proper consent and security measures.

GDPR fines are relevant to each case.

  • For severe GDPR violations, an organization may face a fine of up 20 million euros or, in the case of an undertaking, up to 4 % of its total global turnover of the preceding fiscal year, whichever is higher. 
  • For less severe violations, an organization an organization may face a fine of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.

The incident serves as a strong reminder that organizations must prioritize data privacy and transparency to comply with GDPR regulations. This ongoing effort by regulatory bodies to protect individuals’ privacy rights in the tech industry highlights the critical need for companies to commit to responsible data-handling practices. Companies should prioritize trust and loyalty.

Meta is not the only social media platform under scrutiny for Data Protection Act (DPA) compliance. Following TikTok’s recent Congress hearing, the company is facing investigations in France, Australia, and other countries for sharing sensitive data about US citizens. In the digital world, data protection is important as even social media platforms are bound by privacy regulations. So, its significance cannot be underestimated.

Artificial intelligence (AI)

AI technology has created unique GDPR compliance challenges. AI organizations must ensure that they have a legal basis for processing personal data and the necessary safeguards are in place. GDPR requires transparency, meaning AI systems must explain automated decisions clearly.

When companies use AI, they must conduct data protection impact assessments (DPIAs) and put in place proper security measures to safeguard personal data from unauthorized access or breaches. The ultimate goal is to strike a balance between AI’s potential and GDPR privacy rights protection.

GDPR impact on marketers

GDPR has impacted marketing through the rise of preference centers. Preference centers allow subscribers to manage their communication preferences, giving them more control over how marketers use their data. Preference centers allow marketers to demonstrate the value to customers of sharing their data, as it results in a more tailored and improved user experience. 

Using customer data in a way that appeals to the customer helps out brands too. It’s no longer about abiding by the law, but also delivering the best experience. GDPR highlighted that the customer data is first and foremost the customers and it’s to be treated with respect. This has in turn enhanced how we as marketers utilize it.

The rollout of Apple’s mail privacy protection (MPP) in 2021 added another layer of consumer protection. MPP works by having a bot open all emails as soon as they arrive in the recipient’s inbox. This helps maintain privacy by hiding IP addresses and preventing open rates from tracking other online activity or determining the recipient’s location.

As open rates are now unreliable, we recommend shifting your reliance on opens, to instead work with clicks, which is something we’ve enabled in our platform with your eRFM model

Brands rely less on data and more on building trust and nurturing relationships with customers through improved data practices. In light of data privacy regulations, marketers need to adapt to this shift in approach and find smarter ways to engage their audiences. 

To survive and thrive in this new world of data collection, you must adopt GDPR-friendly strategies like:

Prioritize zero and first-party data

Direct your attention towards gathering actionable insights from user engagement on your platforms. One way to do this is by collecting zero-party data from your website users by requesting their marketing preferences at the initial point of contact. This will enhance the customer experience as they can select what they want to view or avoid. Or you can leverage first-party data to eliminate third-party cookies and ensure compliance with GDPR standards. Both will save you money and time as you won’t have to invest in email marketing campaigns that don’t interest your customers.

Reinforcing contextual targeting

To promote privacy, focus on showing relevant ads or personalized product recommendations to your customers. This way, you can ensure your content matches your users’ browsing behaviors. This helps to build trust with customers, as they know their data is being used responsibly. It also helps to build customer loyalty, as customers are more likely to stay with a company that respects their privacy.

Integrating a consent insight collection tool into your workflow helps you effortlessly manage and track customer consent and preferences. This approach can help you protect your customers’ personal data which is an important part of maintaining GDPR compliance. You can also implement opt-in and opt-out features on your channels. This will allow users to have complete control over their data and how it’s used.

How Dotdigital can help you with GDPR

Our goal is to help you meet your marketing goals, and deliver an exceptional customer experience while complying with GDPR. As a data processor, we have taken steps to ensure compliance with Article 28 of GDPR. At Dotdigital, we prioritize the security of both your data and ours, which is why we consistently review and update our GDPR measures. We’ve put the necessary measures in place to keep your data safe and secure. We can help you be a responsible marketer by:

Technology that meets your needs

At Dotdigital, we understand the importance of your data and how it is managed. As a business accredited with ISO 27001, you can trust us to handle your data securely. We prioritize data protection and have a range of tools in place to make it convenient for you to do the same. Our Data Watchdog is a distinctive feature that monitors any suspicious or hazardous data. With our strict compliance, you can work efficiently with peace of mind.

Contractual commitments

Our partnerships are backed by contractual commitments that encompass strong security standards, comprehensive support, and timely notifications, all aligned with GDPR requirements. You can trust that we prioritize your data’s security and privacy.

Sharing our experience

We gather insights from reputable sources, including data protection authorities and other trusted organizations. By sharing this knowledge, we empower you with the latest information to navigate the GDPR landscape.

Partner with Dotdigital to ensure your data protection practices align with GDPR regulations. This will give you peace of mind and enable you to focus on your business goals. To understand GDPR better, we recommend reading through our FAQ section.

Back to top

Recommended reading