Fernando Maldonado, technology advisor at Foundry.
MuleSoft.
Gray areas remain: Still, if anything has been demonstrated in the decade since its entry into force, it’s that the GDPR still has a long way to go.Miguel Recio, president of APEP.IA (Spanish Professional Association for Privacy), argues that some of the limitations that have been exposed about the regulation relate to adequate bases of legitimacy, and restrictions derived from the concept of personal data or the definition of the figures of controller and processor.”In the case of the bases for legitimation, the limitations that consent or legitimate interest may have in practice must be analyzed to avoid situations of insecurity in the application of the GDPR.”Regarding the concept of personal data, Recio believes that if it is applied restrictively, it can lead to disproportionate situations in which onerous compliance is required, which sometimes does not adequately protect the person. “And the concepts of data controller and data processor may be superseded in certain cases,” he adds. “This requires clear criteria for the application of the GDPR that allow us to overcome doubts or uncertainties.”
International aspect: One area where the GDPR has been under constant tension is as it relates to international data transfers.Rafael GarcÃa del Poyo, partner at Osborne Clarke Spain, believes that international transfers of personal data have been the Achilles’ heel of the GDPR since its entry into force.”The successive twists and turns suffered before the CJEU in this matter (Schrems I, Schrems II, etc.) make it clear that as long as digital business models are global and legal frameworks are national or regional, legal uncertainty will be endemic,” he admits.Another very visible limitation, according to GarcÃa del Poyo, has been the preference for consent as the fundamental basis of legitimacy in the digital environment.”In theory, it is configured as the most powerful legal basis for processing personal data, but in practice, it has degraded into experiences that generate ‘fatigue’ for the citizen or are ‘automatic clicks,’ as is evident with cookie pop-ups. Consent conceived in this way does not build informed decisions but rather produces weariness,” he points out.GarcÃa del Poyo also contends that the reality of data governance on digital platforms exceeds the regulatory logic of the GDPR, requiring additional legal tools to fulfill its stated purpose.”The evolution of European law with instruments such as the DSA or the DMA can be understood as a response to a void, not because the GDPR is ineffective, but because the Regulation cannot single-handedly shoulder the entire governance of the digital environment,” he says. “The good news is that I believe there is considerable room for improvement in the coordinated application of all these digital regulatory instruments.”
<figcaption miguel recio, president of the apep (spanish professional association for privacy). apep-ia
Deterrent sanctions: GDPR fines persist, and they are far from insignificant. Alberto Bellé, principal analyst at Foundry Spain, highlights some of them: “If we look at the figures alone, the result is impressive: Euro7.1 billion in fines since 2018, Euro1.2 billion in 2025 alone, and 443 breach notifications per day in Europe. In Spain, the Spanish Data Protection Agency (AEPD) increased its fines by 14% in 2025, to Euro40 million across 299 cases, with the Euro10 million fine levied against Aena for facial recognition without an impact assessment serving as its prime example. The initial impression is that it works. However, upon closer examination, the flaws become apparent.”According to Bellé, the sanctions are very strong, but their impact is diminished when it comes to enforcement. “For example, the Irish authority has imposed Euro4.04 billion in fines on large technology companies since 2018. In practice, it has collected around Euro20 million. That’s 0.5%. The rest is under appeal or suspended.”
<figcaption alberto bellé (foundry). garpress | foundrysecondly, explains, it was implemented before the emergence of ai. "now that ai "‹"‹race has become geopolitical, europe realized gdpr makes deployment more expensive and slows down compared to us china, which regulate less, or do so later. is why commission presenting digital omnibus delaying application high-risk part "‹"‹act, possibly until december 2027.""thirdly," he states, "a mountain regulations been created compliance impossible. used as a template for followed: nis2, dora, dsa, dma, data act, ai act. each these sense on its own. together, cio, virtually initial success this regulation regulatory avalanche needs be rethought."according miguel recio, "it an issue continues evolve because there still no fully consistent if we consider from perspective all eu countries. necessary bear in mind proposal european parliament council currently being processed, establishes additional procedural rules regarding guarantee with gdpr."2026 hasn't exactly started off well terms penalties. as the latest compiled by financial platform finbold shows, between jan. 1 march 31, 2026, fines totaling euro68.18 million were imposed. other words, companies violated provisions paid approximately euro757,600 per day during first three months year.as finbold points out, quarter marked several significant under gdpr. france united kingdom responsible majority them.the worst offender free mobile, french telecommunications company, sanctioned cnil, the french administrative body enacting privacy laws, 13 due problems subscriber security. result: euro27 fine.the second largest fine follows same pattern. occurred feb. 23, when reddit fined euro16 uk's information commissioner's office (ico) failing protect underage users.the third fourth imposed france. 8, free, parent company euro15 insufficient technical organizational measures. shortly afterward, 22, travail, government agency, euro5 job applicants' information."the sanctions have indeed sent very clear messages, especially those cases where large affected," says garcÃa del poyo.in poyo's view, problem lies not much obvious deterrent effect sanction but consistency interpretation principles contained different national authorities member states."perhaps most pressing address," explains. "along lines, onestop-shop mechanism, which was clearly designed for this purpose, has in practice created some bottlenecks for supervisory authorities with a higher volume of cases, and sometimes the decisions made have not always satisfied national authorities that were not involved. It is true that there has been significant progress in the role played by the European Data Protection Board, but the challenge remains for both citizens and businesses to perceive that the GDPR establishes a truly uniform European standard, for example, in the time required to process cases or in the criteria on which a sanction is based.”
<figcaption rafael garcÃa del poyo (osborne clarke spain). garpress | foundry
The AI challenge: So what now? Ten years since adoption, it’s time to look ahead, and some voices are warning of the need for evolution, if not reform, taking into account the challenges that data faces, such as generative AI, data sovereignty, and the global digital economy.”Rather than ‘throw out and rewrite’ the GDPR, what is needed is to refine it and accompany it with interpretations and mechanisms that work in the new technological scenarios that will inevitably arise,” says GarcÃa del Poyo.Maldonado wants to make it clear that the GDPR was created before the rise of generative AI, but its principles remain important: transparency, legal basis, minimization, specific purpose, security, and protection by design. “The problem is that AI takes those principles into much more difficult territory,” he says.”How do you clearly report on data used to train massive models? How do you delete data that has already influenced a system? What does it mean to use only the necessary data when some models are built precisely with massive amounts of information? How do you explain automated decisions that depend on technical chains opaque even to many experts? These questions will define the next decade. If the GDPR can be effectively applied to AI, it will remain the backbone of European privacy. If not, it risks becoming a highly elaborate regulation for a world that has already changed,” he warns.GarcÃa del Poyo believes it is necessary to clarify issues such as the appropriate legal basis for processing personal data when it is used for training an AI, how citizens can exercise their rights when they know that the processing of personal data is not easily traceable, and even how organizations distribute the responsibilities outlined in the GDPR within the context of complex business collaborations that occur between AI providers, integrators, and users.
And what about data sovereignty?: Regarding data sovereignty, GarcÃa del Poyo reminds us that Europe understands it cannot compete in the global digital economy if its citizens and businesses are immersed in digital environments that make switching providers unfeasible.”It’s important to remember that the GDPR recognized the right to data portability. However, in practice, it has been one of the most underutilized rights, not due to a lack of interest from users, but because the Regulation itself left the underlying technical problem unresolved: in what format exactly? with what standards? through which interfaces? Now, since the Data Protection Act came into force in September 2025, portability has become a design obligation for companies offering digital services, as it requires that access to and transmission of personal data to other companies be technically feasible,” he says.Not forgetting a topic that is both “very Spanish and very European,” as GarcÃa del Poyo defines it, which is the proportionality in the requirements of the rule.”If the European digital regulatory framework becomes increasingly dense, overlaps with new rules, and we fail to simplify some of the imposed obligations, for example, those that can be classified as low-risk or specifically aimed at SMEs, we risk compliance becoming a luxury for large organizations rather than an effective standard of protection for citizens,” he explains. “I believe that the success of the European digital economic model, whose data protection foundations were established in the GDPR 10 years ago, will be measured both by the effectiveness of protecting rights and by its ability to create a secure and favorable environment for business development.”
Looking to the future: Challenges, risks, the need for evolution, we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.”The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.””And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167584/ten-years-later-has-the-gdpr-fulfilled-its-purpose.html
<figcaption miguel recio, president of the apep (spanish professional association for privacy). apep-ia
Deterrent sanctions: GDPR fines persist, and they are far from insignificant. Alberto Bellé, principal analyst at Foundry Spain, highlights some of them: “If we look at the figures alone, the result is impressive: Euro7.1 billion in fines since 2018, Euro1.2 billion in 2025 alone, and 443 breach notifications per day in Europe. In Spain, the Spanish Data Protection Agency (AEPD) increased its fines by 14% in 2025, to Euro40 million across 299 cases, with the Euro10 million fine levied against Aena for facial recognition without an impact assessment serving as its prime example. The initial impression is that it works. However, upon closer examination, the flaws become apparent.”According to Bellé, the sanctions are very strong, but their impact is diminished when it comes to enforcement. “For example, the Irish authority has imposed Euro4.04 billion in fines on large technology companies since 2018. In practice, it has collected around Euro20 million. That’s 0.5%. The rest is under appeal or suspended.”
<figcaption alberto bellé (foundry). garpress | foundrysecondly, explains, it was implemented before the emergence of ai. "now that ai "‹"‹race has become geopolitical, europe realized gdpr makes deployment more expensive and slows down compared to us china, which regulate less, or do so later. is why commission presenting digital omnibus delaying application high-risk part "‹"‹act, possibly until december 2027.""thirdly," he states, "a mountain regulations been created compliance impossible. used as a template for followed: nis2, dora, dsa, dma, data act, ai act. each these sense on its own. together, cio, virtually initial success this regulation regulatory avalanche needs be rethought."according miguel recio, "it an issue continues evolve because there still no fully consistent if we consider from perspective all eu countries. necessary bear in mind proposal european parliament council currently being processed, establishes additional procedural rules regarding guarantee with gdpr."2026 hasn't exactly started off well terms penalties. as the latest compiled by financial platform finbold shows, between jan. 1 march 31, 2026, fines totaling euro68.18 million were imposed. other words, companies violated provisions paid approximately euro757,600 per day during first three months year.as finbold points out, quarter marked several significant under gdpr. france united kingdom responsible majority them.the worst offender free mobile, french telecommunications company, sanctioned cnil, the french administrative body enacting privacy laws, 13 due problems subscriber security. result: euro27 fine.the second largest fine follows same pattern. occurred feb. 23, when reddit fined euro16 uk's information commissioner's office (ico) failing protect underage users.the third fourth imposed france. 8, free, parent company euro15 insufficient technical organizational measures. shortly afterward, 22, travail, government agency, euro5 job applicants' information."the sanctions have indeed sent very clear messages, especially those cases where large affected," says garcÃa del poyo.in poyo's view, problem lies not much obvious deterrent effect sanction but consistency interpretation principles contained different national authorities member states."perhaps most pressing address," explains. "along lines, onestop-shop mechanism, which was clearly designed for this purpose, has in practice created some bottlenecks for supervisory authorities with a higher volume of cases, and sometimes the decisions made have not always satisfied national authorities that were not involved. It is true that there has been significant progress in the role played by the European Data Protection Board, but the challenge remains for both citizens and businesses to perceive that the GDPR establishes a truly uniform European standard, for example, in the time required to process cases or in the criteria on which a sanction is based.”
<figcaption rafael garcÃa del poyo (osborne clarke spain). garpress | foundry
The AI challenge: So what now? Ten years since adoption, it’s time to look ahead, and some voices are warning of the need for evolution, if not reform, taking into account the challenges that data faces, such as generative AI, data sovereignty, and the global digital economy.”Rather than ‘throw out and rewrite’ the GDPR, what is needed is to refine it and accompany it with interpretations and mechanisms that work in the new technological scenarios that will inevitably arise,” says GarcÃa del Poyo.Maldonado wants to make it clear that the GDPR was created before the rise of generative AI, but its principles remain important: transparency, legal basis, minimization, specific purpose, security, and protection by design. “The problem is that AI takes those principles into much more difficult territory,” he says.”How do you clearly report on data used to train massive models? How do you delete data that has already influenced a system? What does it mean to use only the necessary data when some models are built precisely with massive amounts of information? How do you explain automated decisions that depend on technical chains opaque even to many experts? These questions will define the next decade. If the GDPR can be effectively applied to AI, it will remain the backbone of European privacy. If not, it risks becoming a highly elaborate regulation for a world that has already changed,” he warns.GarcÃa del Poyo believes it is necessary to clarify issues such as the appropriate legal basis for processing personal data when it is used for training an AI, how citizens can exercise their rights when they know that the processing of personal data is not easily traceable, and even how organizations distribute the responsibilities outlined in the GDPR within the context of complex business collaborations that occur between AI providers, integrators, and users.
And what about data sovereignty?: Regarding data sovereignty, GarcÃa del Poyo reminds us that Europe understands it cannot compete in the global digital economy if its citizens and businesses are immersed in digital environments that make switching providers unfeasible.”It’s important to remember that the GDPR recognized the right to data portability. However, in practice, it has been one of the most underutilized rights, not due to a lack of interest from users, but because the Regulation itself left the underlying technical problem unresolved: in what format exactly? with what standards? through which interfaces? Now, since the Data Protection Act came into force in September 2025, portability has become a design obligation for companies offering digital services, as it requires that access to and transmission of personal data to other companies be technically feasible,” he says.Not forgetting a topic that is both “very Spanish and very European,” as GarcÃa del Poyo defines it, which is the proportionality in the requirements of the rule.”If the European digital regulatory framework becomes increasingly dense, overlaps with new rules, and we fail to simplify some of the imposed obligations, for example, those that can be classified as low-risk or specifically aimed at SMEs, we risk compliance becoming a luxury for large organizations rather than an effective standard of protection for citizens,” he explains. “I believe that the success of the European digital economic model, whose data protection foundations were established in the GDPR 10 years ago, will be measured both by the effectiveness of protecting rights and by its ability to create a secure and favorable environment for business development.”
Looking to the future: Challenges, risks, the need for evolution, we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.”The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.””And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167584/ten-years-later-has-the-gdpr-fulfilled-its-purpose.html
<figcaption alberto bellé (foundry). garpress | foundrysecondly, explains, it was implemented before the emergence of ai. "now that ai "‹"‹race has become geopolitical, europe realized gdpr makes deployment more expensive and slows down compared to us china, which regulate less, or do so later. is why commission presenting digital omnibus delaying application high-risk part "‹"‹act, possibly until december 2027.""thirdly," he states, "a mountain regulations been created compliance impossible. used as a template for followed: nis2, dora, dsa, dma, data act, ai act. each these sense on its own. together, cio, virtually initial success this regulation regulatory avalanche needs be rethought."according miguel recio, "it an issue continues evolve because there still no fully consistent if we consider from perspective all eu countries. necessary bear in mind proposal european parliament council currently being processed, establishes additional procedural rules regarding guarantee with gdpr."2026 hasn't exactly started off well terms penalties. as the latest compiled by financial platform finbold shows, between jan. 1 march 31, 2026, fines totaling euro68.18 million were imposed. other words, companies violated provisions paid approximately euro757,600 per day during first three months year.as finbold points out, quarter marked several significant under gdpr. france united kingdom responsible majority them.the worst offender free mobile, french telecommunications company, sanctioned cnil, the french administrative body enacting privacy laws, 13 due problems subscriber security. result: euro27 fine.the second largest fine follows same pattern. occurred feb. 23, when reddit fined euro16 uk's information commissioner's office (ico) failing protect underage users.the third fourth imposed france. 8, free, parent company euro15 insufficient technical organizational measures. shortly afterward, 22, travail, government agency, euro5 job applicants' information."the sanctions have indeed sent very clear messages, especially those cases where large affected," says garcÃa del poyo.in poyo's view, problem lies not much obvious deterrent effect sanction but consistency interpretation principles contained different national authorities member states."perhaps most pressing address," explains. "along lines, onestop-shop mechanism, which was clearly designed for this purpose, has in practice created some bottlenecks for supervisory authorities with a higher volume of cases, and sometimes the decisions made have not always satisfied national authorities that were not involved. It is true that there has been significant progress in the role played by the European Data Protection Board, but the challenge remains for both citizens and businesses to perceive that the GDPR establishes a truly uniform European standard, for example, in the time required to process cases or in the criteria on which a sanction is based.”
<figcaption rafael garcÃa del poyo (osborne clarke spain). garpress | foundry
The AI challenge: So what now? Ten years since adoption, it’s time to look ahead, and some voices are warning of the need for evolution, if not reform, taking into account the challenges that data faces, such as generative AI, data sovereignty, and the global digital economy.”Rather than ‘throw out and rewrite’ the GDPR, what is needed is to refine it and accompany it with interpretations and mechanisms that work in the new technological scenarios that will inevitably arise,” says GarcÃa del Poyo.Maldonado wants to make it clear that the GDPR was created before the rise of generative AI, but its principles remain important: transparency, legal basis, minimization, specific purpose, security, and protection by design. “The problem is that AI takes those principles into much more difficult territory,” he says.”How do you clearly report on data used to train massive models? How do you delete data that has already influenced a system? What does it mean to use only the necessary data when some models are built precisely with massive amounts of information? How do you explain automated decisions that depend on technical chains opaque even to many experts? These questions will define the next decade. If the GDPR can be effectively applied to AI, it will remain the backbone of European privacy. If not, it risks becoming a highly elaborate regulation for a world that has already changed,” he warns.GarcÃa del Poyo believes it is necessary to clarify issues such as the appropriate legal basis for processing personal data when it is used for training an AI, how citizens can exercise their rights when they know that the processing of personal data is not easily traceable, and even how organizations distribute the responsibilities outlined in the GDPR within the context of complex business collaborations that occur between AI providers, integrators, and users.
And what about data sovereignty?: Regarding data sovereignty, GarcÃa del Poyo reminds us that Europe understands it cannot compete in the global digital economy if its citizens and businesses are immersed in digital environments that make switching providers unfeasible.”It’s important to remember that the GDPR recognized the right to data portability. However, in practice, it has been one of the most underutilized rights, not due to a lack of interest from users, but because the Regulation itself left the underlying technical problem unresolved: in what format exactly? with what standards? through which interfaces? Now, since the Data Protection Act came into force in September 2025, portability has become a design obligation for companies offering digital services, as it requires that access to and transmission of personal data to other companies be technically feasible,” he says.Not forgetting a topic that is both “very Spanish and very European,” as GarcÃa del Poyo defines it, which is the proportionality in the requirements of the rule.”If the European digital regulatory framework becomes increasingly dense, overlaps with new rules, and we fail to simplify some of the imposed obligations, for example, those that can be classified as low-risk or specifically aimed at SMEs, we risk compliance becoming a luxury for large organizations rather than an effective standard of protection for citizens,” he explains. “I believe that the success of the European digital economic model, whose data protection foundations were established in the GDPR 10 years ago, will be measured both by the effectiveness of protecting rights and by its ability to create a secure and favorable environment for business development.”
Looking to the future: Challenges, risks, the need for evolution, we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.”The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.””And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”
Looking to the future: Challenges, risks, the need for evolution, we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.”The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.””And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167584/ten-years-later-has-the-gdpr-fulfilled-its-purpose.html