Today marks the 10-year anniversary of the European General Data Protection Regulation coming into force. We invite you to reflect on a decade of transformation in data protection… and to explore what comes next.
Exactly ten years ago today, the GDPR came into effect and irreversibly changed the relationship between organisations, individuals, and personal data. With a full decade of practical enforcement behind us, it is time to glance back — but above all, to look ahead.
If you could sum up the GDPR’s impact on your organisation in one word, what would it be?
I. The impact of a decade: what the GDPR changed
The GDPR was not merely a regulation — it was a cultural and habits turning point. Over the course of ten years, we have witnessed far-reaching changes:
- Accountability as a central pillar. The accountability principle moved from a theoretical aspiration to a concrete requirement. Organisations processing personal data are now expected to demonstrate — not merely declare — compliance with data protection principles. Internal policies, records of processing activities, data protection impact assessments, and the role of the Data Protection Officer have become structural elements of corporate governance.
- International transfers and regulatory convergence. The GDPR triggered a global domino effect. From the Schrems II ruling to the adoption of adequacy frameworks, and through the proliferation of legislation inspired by the European model — from Brazil (LGPD) to India (DPDPA) — the European regulation has cemented its position as a worldwide benchmark. Regulatory fragmentation persists, but the convergence trend is undeniable.
- Certification and trust. Data protection certification has evolved from a nascent concept to a compliance demonstration tool of growing practical relevance, paving the way for mechanisms such as Europrivacy.
II. Lessons learned — and a vision for the next decade
Ten years of the GDPR have taught us that regulation is necessary but not sufficient. The key lessons from this first decade include:
- Compliance is not a destination — it is an ongoing process. Organisations that treat the GDPR as a completed project quickly fall behind. Data protection demands continuous monitoring, training, and the ability to adapt.
- Technology moves faster than the law. Artificial intelligence, large language models, biometrics, and large-scale data processing pose challenges that the original GDPR text did not fully anticipate. The interplay with the AI Act, the Data Act, and the Data Governance Act will be one of the defining themes of the coming decade.
- Enforcement has matured — and will continue to intensify. Supervisory authorities have moved from an initial pedagogical phase to increasingly assertive action, with significant fines and more detailed guidance. Cooperation among national authorities is expected to become more effective, and the one-stop-shop mechanism is set to be refined.
- The role of the DPO is evolving. The Data Protection Officer has been steadily establishing a position as a strategic interlocutor within organisations, with a mandate that extends to data ethics, AI governance, and digital risk management.
Is your organisation ready for the next European regulatory cycle? Is the interplay between the GDPR and the AI Act already part of your compliance strategy?
III. Europrivacy: The European data protection seal
One of the most significant developments in recent years is the consolidation of Europrivacy as the first certification mechanism officially recognised under Article 42 of the GDPR. Europrivacy offers organisations a certification seal attesting that their data processing operations comply with the GDPR, providing legal certainty and a competitive edge.
The Europrivacy certification scheme has been expanding, with complementary criteria for specific sectors — healthcare, financial services, public administration — and for technological frameworks such as cloud computing and artificial intelligence. It is an instrument with the potential to harmonise compliance practices across the European Union and to facilitate the demonstration of accountability before supervisory authorities, business partners, and data subjects.
Europrivacy certification can serve as a strategic differentiator for organisations operating in regulated markets or seeking to strengthen stakeholder trust.
IV. Voices from the field: what the experts say
Over this decade, the data protection ecosystem has built a significant body of practical knowledge. DPOs, supervisory authorities, and specialists converge around several core themes:
- Supervisory authorities, including the European Data Protection Board (EDPB), have emphasised the need for a more harmonised application of the GDPR across Member States, acknowledging that fragmentation in interpretation and enforcement weakens the digital single market.
- Data protection professionals and DPOs highlight the importance of embedding privacy into organisational culture, going beyond mere formal compliance. The concept of privacy by design continues to be more cited than practised, and the next decade will require organisations to genuinely incorporate it into their innovation processes.
- Similarly, they warn of the need for an integrated approach to compliance — one that connects the GDPR with emerging legislation on data, artificial intelligence, and cybersecurity — avoiding regulatory silos that increase costs and reduce effectiveness.
Ten years on, the GDPR stands as a civilisational achievement — but also as a commitment under continuous construction. The regulation gave us the foundations; it is now up to us to build upon them to meet the challenges the next decade holds. At Antas da Cunha ECIJA, we remain committed to accompanying this evolution, supporting organisations in building data protection programmes that are resilient, ethical, and future-ready.
By Ana Bastos and Ana Catarina Silva, Practice Area – Digital Contracting & Compliance
