top of page

Three years of GDPR

25th May 2021 marks the 3rd anniversary of General Data Protection Regulation (GDPR). The basic protocols of GDPR are targeted at how the companies around the globe will operate their client’s personal information legally within the EU. GDPR imposes a uniform data protection law all over the EU so that each member state no longer ought to implement its own data protection law and the fact one law is harmonious across the entire EU.

It requires the companies to protect personal data and privacy of EU citizens. GDPR provides protection to Personal Data (name, home/office address, various ID numbers), Tech Data (cookies, IP address, etc), Medical & Health Data, Biometric Data, Ethic Groups, one’s Political views, among others.

GDPR replaced EU’s old Data Protection Directive of 1995. As per the GDPR, companies are required to safeguard personal data and privacy of all EU citizens, in and outside of EU as the GDPR has an “extra-territorial effect” as said under Article 3 of GDPR. As per Article 23 & 30 the companies operating in EU need to come up with a measure to protect the client’s personal data against loss or exposing.

Companies operating in EU must appoint a Data Protection Officer (DPO) who will make sure the company is meeting with the regulations of the GDPR and that the data protection program of the organization is as per the GDPR compliance.

Since its implementation more than 2,50,000 data breaches have been reported and over 500 fines have been so far, which no doubt has a revenue of over hundreds of millions. 20 million euros or 4% of worldwide revenue is the highest fine under the GDPR. Google, Tim-Telecom Italia, Marriott International Hotels, H&M and British Airways are the major corporations that have been fined. Recently, Ireland's Data Protection Commission fined Twitter USD 547,000 for violation of not reporting a data breach in accordance with the GDPR.

The EDPB - European Data Protection Board has published many guidelines over the last 2 years which makes the GDPR the toughest privacy & security law in the world. In the long term, we can expect the GDPR to much more focus on issues like biometric data, AI & its compatibility like how much you can depend on AI.

Apart from GDPR, 10-12% of nations have one or other data privacy & protection law. statistically 65- 70% of the world jurisdiction will have a data protection law by 2023. Countries like India, Brazil, Argentina, etc have started drafting & enacting data protection laws post GDPR.

GDPR has no doubt raised consciousness amongst the nations on how to act in accordance with rules regarding processing of personal data and the need for a data protection law.


Anshul Bharadwaj

Armitage Legal Associates


Follow LexTalk World for more news and updated from International Legal Industry.




bottom of page