This year marks the 10th anniversary of the EU’s adoption of the General Data Protection Regulation, which became mandatory for all companies beginning on May 25, 2018.
The aim of the GDPR was simple, but important: to improve individuals’ control over their personal data. This regulation replaced Directive 95/46/EC with the clear purpose of unifying data protection regulations in the EU, strengthening citizens’ rights, and simplifying the regulatory environment.
To commemorate this anniversary, Computerworld Spain has spoken with various experts and analysts to examine how this regulation has changed business operations and what the current situation is in terms of GDPR enforcement in practice and organizations’ ongoing efforts to comply with this landmark regulation.
An indispensable change for corporate culture
Fernando Maldonado, principal analyst at Foundry Spain, sees GDPR’s legacy to date being “bittersweet.”
“The GDPR has been one of the most influential digital regulations in the world,” he tells Computerworld Spain. “It has changed how companies talk about privacy, raised standards, and given citizens more rights. But it hasn’t quite achieved what many hoped for: that people have real and easy control over their data.”
Maldonado also believes that GDPR’s “most visible achievement has been cultural.”
“Before its implementation, in many organizations, data protection was little more than legal text on a website, some contracts with suppliers, and a folder that was reviewed during audits,” he says. “Today, at least in Europe, privacy is part of the daily operations of companies, public administrations, and digital services. We talk about legal frameworks, impact assessments, data minimization, privacy by design, data protection officers, and security breaches. It may sound technical, but behind it lies a significant change: Organizations can no longer simply claim compliance. They have to be able to prove it.”
This idea, Maldonado says, “as simple as it is demanding, has been one of the GDPR’s greatest contributions.”
“The regulation made it necessary to know what data is being processed, for what purpose, for how long, with whom it is being shared, and under what safeguards,” he notes. “It also required thinking before acting, especially when processing could affect fundamental rights. In that sense, it achieved something that seemed difficult: taking privacy out of the legal realm and bringing it into management decisions.”
Fernando Maldonado, technology advisor at Foundry.
MuleSoft.
Gray areas remain
Still, if anything has been demonstrated in the decade since its entry into force, it’s that the GDPR still has a long way to go.
Miguel Recio, president of APEP.IA (Spanish Professional Association for Privacy), argues that some of the limitations that have been exposed about the regulation relate to adequate bases of legitimacy, and restrictions derived from the concept of personal data or the definition of the figures of controller and processor.
“In the case of the bases for legitimation, the limitations that consent or legitimate interest may have in practice must be analyzed to avoid situations of insecurity in the application of the GDPR.”
Regarding the concept of personal data, Recio believes that if it is applied restrictively, it can lead to disproportionate situations in which onerous compliance is required, which sometimes does not adequately protect the person.
“And the concepts of data controller and data processor may be superseded in certain cases,” he adds. “This requires clear criteria for the application of the GDPR that allow us to overcome doubts or uncertainties.”
International aspect
One area where the GDPR has been under constant tension is as it relates to international data transfers.
Rafael García del Poyo, partner at Osborne Clarke Spain, believes that international transfers of personal data have been the Achilles’ heel of the GDPR since its entry into force.
“The successive twists and turns suffered before the CJEU in this matter (Schrems I, Schrems II, etc.) make it clear that as long as digital business models are global and legal frameworks are national or regional, legal uncertainty will be endemic,” he admits.
Another very visible limitation, according to García del Poyo, has been the preference for consent as the fundamental basis of legitimacy in the digital environment.
“In theory, it is configured as the most powerful legal basis for processing personal data, but in practice, it has degraded into experiences that generate ‘fatigue’ for the citizen or are ‘automatic clicks,’ as is evident with cookie pop-ups. Consent conceived in this way does not build informed decisions but rather produces weariness,” he points out.
García del Poyo also contends that the reality of data governance on digital platforms exceeds the regulatory logic of the GDPR, requiring additional legal tools to fulfill its stated purpose.
“The evolution of European law with instruments such as the DSA or the DMA can be understood as a response to a void, not because the GDPR is ineffective, but because the Regulation cannot single-handedly shoulder the entire governance of the digital environment,” he says. “The good news is that I believe there is considerable room for improvement in the coordinated application of all these digital regulatory instruments.”
Miguel Recio, president of the APEP (Spanish Professional Association for Privacy).
APEP-IA
Deterrent sanctions
GDPR fines persist, and they are far from insignificant. Alberto Bellé, principal analyst at Foundry Spain, highlights some of them: “If we look at the figures alone, the result is impressive: €7.1 billion in fines since 2018, €1.2 billion in 2025 alone, and 443 breach notifications per day in Europe. In Spain, the Spanish Data Protection Agency (AEPD) increased its fines by 14% in 2025, to €40 million across 299 cases, with the €10 million fine levied against Aena for facial recognition without an impact assessment serving as its prime example. The initial impression is that it works. However, upon closer examination, the flaws become apparent.”
According to Bellé, the sanctions are very strong, but their impact is diminished when it comes to enforcement. “For example, the Irish authority has imposed €4.04 billion in fines on large technology companies since 2018. In practice, it has collected around €20 million. That’s 0.5%. The rest is under appeal or suspended.”
Alberto Bellé (Foundry).
Garpress | Foundry
Secondly, Bellé explains, it was implemented before the emergence of AI. “Now that the AI race has become geopolitical, Europe has realized that the GDPR makes AI deployment more expensive and slows it down compared to the US and China, which regulate less, or do so later. That is why the Commission is presenting the Digital Omnibus and delaying the application of the high-risk part of the AI Act, possibly until December 2027.”
“Thirdly,” he states, “a mountain of regulations has been created that makes compliance impossible. The GDPR was used as a template for the regulations that followed: NIS2, DORA, DSA, DMA, Data Act, AI Act. Each of these makes sense on its own. Together, for a CIO, compliance is virtually impossible. The initial success of this regulation has created a regulatory avalanche that needs to be rethought.”
According to Miguel Recio, “It is an issue that continues to evolve because there is still no fully consistent application if we consider it from the perspective of all EU countries. It is necessary to bear in mind that a Proposal for a Regulation of the European Parliament and of the Council is currently being processed, which establishes additional procedural rules regarding the guarantee of compliance with the GDPR.”
2026 hasn’t exactly started off well in terms of penalties. As the latest data compiled by financial platform Finbold shows, between Jan. 1 and March 31, 2026, fines totaling €68.18 million were imposed. In other words, companies that violated GDPR provisions paid approximately €757,600 per day during the first three months of the year.
As Finbold points out, the first quarter was marked by several significant fines under the GDPR. France and the United Kingdom were responsible for the majority of them.
The worst offender is Free Mobile, a French telecommunications company, sanctioned by the CNIL — the French administrative and regulatory body responsible for enacting data privacy laws — on Jan. 13 due to problems with subscriber data security. The result: a €27 million fine.
The second largest fine follows the same pattern. It occurred on Feb. 23, when Reddit was fined €16 million by the UK’s Information Commissioner’s Office (ICO) for failing to protect the data of underage users.
The third and fourth largest fines were imposed by France. On Jan. 8, Free, the parent company of Free Mobile, was fined €15 million for insufficient technical and organizational measures. Shortly afterward, on Jan. 22, France Travail, a government agency, was fined €5 million for failing to protect job applicants’ information.
“The sanctions have been significant and have indeed sent very clear messages, especially in those cases where large companies have been affected,” says García del Poyo.
In García del Poyo’s view, the problem lies not so much in the obvious deterrent effect of the sanction but in the necessary consistency in the interpretation and application of the principles contained in the GDPR by the different national authorities of the Member States.
“Perhaps this is the most pressing issue the GDPR still needs to address,” he explains. “Along these same lines, the one–stop-shop mechanism, which was clearly designed for this purpose, has in practice created some bottlenecks for supervisory authorities with a higher volume of cases, and sometimes the decisions made have not always satisfied national authorities that were not involved. It is true that there has been significant progress in the role played by the European Data Protection Board, but the challenge remains for both citizens and businesses to perceive that the GDPR establishes a truly uniform European standard, for example, in the time required to process cases or in the criteria on which a sanction is based.”
Rafael García del Poyo (Osborne Clarke Spain).
Garpress | Foundry
The AI challenge
So what now? Ten years since adoption, it’s time to look ahead, and some voices are warning of the need for evolution, if not reform, taking into account the challenges that data faces, such as generative AI, data sovereignty, and the global digital economy.
“Rather than ‘throw out and rewrite’ the GDPR, what is needed is to refine it and accompany it with interpretations and mechanisms that work in the new technological scenarios that will inevitably arise,” says García del Poyo.
Maldonado wants to make it clear that the GDPR was created before the rise of generative AI, but its principles remain important: transparency, legal basis, minimization, specific purpose, security, and protection by design. “The problem is that AI takes those principles into much more difficult territory,” he says.
“How do you clearly report on data used to train massive models? How do you delete data that has already influenced a system? What does it mean to use only the necessary data when some models are built precisely with massive amounts of information? How do you explain automated decisions that depend on technical chains opaque even to many experts? These questions will define the next decade. If the GDPR can be effectively applied to AI, it will remain the backbone of European privacy. If not, it risks becoming a highly elaborate regulation for a world that has already changed,” he warns.
García del Poyo believes it is necessary to clarify issues such as the appropriate legal basis for processing personal data when it is used for training an AI, how citizens can exercise their rights when they know that the processing of personal data is not easily traceable, and even how organizations distribute the responsibilities outlined in the GDPR within the context of complex business collaborations that occur between AI providers, integrators, and users.
And what about data sovereignty?
Regarding data sovereignty, García del Poyo reminds us that Europe understands it cannot compete in the global digital economy if its citizens and businesses are immersed in digital environments that make switching providers unfeasible.
“It’s important to remember that the GDPR recognized the right to data portability. However, in practice, it has been one of the most underutilized rights, not due to a lack of interest from users, but because the Regulation itself left the underlying technical problem unresolved: in what format exactly? with what standards? through which interfaces? Now, since the Data Protection Act came into force in September 2025, portability has become a design obligation for companies offering digital services, as it requires that access to and transmission of personal data to other companies be technically feasible,” he says.
Not forgetting a topic that is both “very Spanish and very European,” as García del Poyo defines it, which is the proportionality in the requirements of the rule.
“If the European digital regulatory framework becomes increasingly dense, overlaps with new rules, and we fail to simplify some of the imposed obligations — for example, those that can be classified as low-risk or specifically aimed at SMEs — we risk compliance becoming a luxury for large organizations rather than an effective standard of protection for citizens,” he explains. “I believe that the success of the European digital economic model — whose data protection foundations were established in the GDPR 10 years ago — will be measured both by the effectiveness of protecting rights and by its ability to create a secure and favorable environment for business development.”
Looking to the future
Challenges, risks, the need for evolution — we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.
“The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.
According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.”
“And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”