“Two years. It’s already been 2 years since the GDPR came into force (aka. The end of GDPR madness). It’s gone by so fast and so slowly. So much has happened. And yet, so much is still the same.

In this two year anniversary of the rule that we live and breathe, here at KL we wanted to take a walk down memory lane and see what has changed, a then and now experience which we hope will spark a sense of achievement or, at the very least, a temporary distraction from our Covid focused lives.




Awareness (aka. Geek is the new chic) 

No one understood what we actually did for a living. Despite explanations to family, friends (and the odd older partner in the firm) a lot of people didn’t quite understand why we were getting paid at the end of the month.

Everyone knows what we do and why privacy is important to them.

General awareness of their privacy rights (and the fact that even our grandparents now understand what it is we do for a living) is the most satisfying part of this journey.

A shift in culture - No more tick box exercises

The new European Regulation made a difference within organisations especially in creating awareness among organisations of what to do when handling personal data.

The race up to May 25th was all about ticking boxes – getting the GDPR readiness plan in the green. It didn’t matter how it was done, it needed to be done.

Whereas there a companies who still struggle with the idea that privacy is a living thing and not just a pile of documents to be kept in a desk drawer, most companies understand how privacy impacts their business.

It’s not only about getting things done, but done well and in a way that fits with your business and client culture.

Getting solid advice and privacy right can make or break, growth, investments and public image, especially for budding businesses.

The rise and fall of consent




Before the GDPR came into force, consent had different approaches depending on the jurisdiction and many companies relied on implicit consent to perform their activities.

The new Regulation made it clear that it was necessary to obtain a clear an affirmative statement to consider valid consent. So we have had to say goodbye to those pre ticked boxes or those implicit consents that we used to live with.

We still dream of those emails we received on May 25th telling us that the GDPR was already there and that we would need to give our consent to companies to process our personal data. Many of these were sent in a panic stricken frenzy as people did not quite understand the different legal basis for processing. We then realized that the result or consequences of that, in some cases, became more difficult than expected. The lack of responses was absolute nightmare for marketing teams.

Companies understand that there are different legal basis for processing, and that consent can only be used when there is actually an option.

There is a better understanding, aided by transparency and a stronger privacy culture, that allows companies to process the data they need with the legal basis that makes sense in the context.

Carrying out training, the presence of a privacy expert such as the DPO and going through the thought process of the DPIA has helped companies understand and record what they use data for, why and on what grounds. And explain it in a clear way to users of course.

The rise of the DPO

This role was not introduced by GDPR, as it already existed in some jurisdictions, but not all organisations, that had appointed a DPO, stopped to think about the aptitudes or skills that this role requires, or whether some functions within the entity could not be compatible with those of a DPO. How many discussions took place to decide what was the best profile for a DPO? And how many people “got stuck” with the job (Kevin in HR, here’s thinking of you kid)

GDPR reinforces this figure by defining certain characteristics that must be fulfilled, such as ensuring that any task and duties do not result in a conflict of interests. The DPO must know privacy, but also understand the business, the culture, be collaborative and his or her own person in this senior role in the company.

We’ve also discovered that it’s not only about having a DPO, you actually need one who knows what he or she is doing. And that it may take a village to do the DPO job.

Transparency, user experience and the end of the black box

Pre-GDPR duties in relation to transparency were less demanding and strict. Information used to be scattered and sometimes even difficult to find and understand. Users were not used to reading the (sometimes unreadable or extremely dull) information that organisations provided them with as, in most cases, it was not concise or easily accessible, and the wording could result unclear and without a plain language.

Transparent processing is about being clear, open and honest with people from the start.

The GDPR emphasises the transparency as one of the most relevant requirements that entities must comply with and evidence of this is the fines and sanctions that some Data Protection Authorities have issued to organisations for not being transparent with their users / consumers.

Organisations have improved the access to information and the means to provide such information. They have tailored the language to their user experience, and many companies opt for just in time notifications.

It is ever evident that the way to engage with users is trust, and getting privacy right enables that trust.


Two years ago accepting all cookies when accessing a Site or otherwise the access would not be possible was the norm.

We sort of had an idea of what was going on but no body (including companies themselves in many cases) knew what was going on with cookies.

Companies are auditing their cookies to understand what they have and why. In order to give people the option to switch some types of cookies on and off, it is essential to know what will go in each bucket.

Companies are finding that by giving people choice, they are actually more happy to accept most cookies and engage with the company.

The evolution of privacy by design

Having to think about privacy from the start may seem an obvious obligation, but the adoption of measures to effectively integrate privacy by design and by default into processes, procedures or systems required a hard work behind, not only technical, but also an awareness exercise, that sometimes was not that easy.

Getting the privacy person a seat at the table from the beginning and not 12h before the launch of a product was, at the very least, a struggle.

With the integrity and confidentiality principle, as well as the data minimisation, Privacy by Design has gained strength.

Training has also done wonders as non-legal teams understand (i) how this affects their work and (ii) if they don’t get it right it might be a no go.

We are now transitioning from a culture of GDPR as a big bad wolf to GDPR as a business and technology enabler.

It’s all about cybersecurity

“Change your password”, “use encryption”, “implement security policies”, probably these are the most frequent sentences we have ever heard. Cybersecurity has been little by little implemented into the company's DNA. However, pre-GDPR, some organisations did not have the appropriate security measures and training in place and different cyber incidents, caused by human errors or external attacks, did occur – and, unfortunately, some of them were difficult to locate and even mitigate.

Cybersecurity risk assessment and planning must not be a paper tick-box exercise only, but everyone in a business must know about security policies and comply with them.

GDPR requires companies to implement appropriate technical and organisational measures which take into account the type of data processing and the rights and freedoms of data subjects.

The result of a wrong management of data breaches can result to fines, as explained below.


Fines for breach of privacy law predate the GDPR. But the potential fines under GDPR were, at the very least, a shock to the system.

Most companies had to start preparing a new approach towards GDPR as their current system was not sufficient prepared to comply with all GDPR requirements and therefore avoid potential fines and sanctions.

Let’s just say… it scared more than one board member.

Fines have increased dramatically under GDPR.

But it’s not only about financial risks, reputational risks have proven to have an even bigger impact. Security incidents and personal data breaches always generate news coverage.

Professional and efficient handling of an incident has proven to minimise reputational damage and the amount of the fine.

For now, regulators are going after companies who, put simply, should have known better.

All in all, the GDPR has been a positive thing for users and companies alike. Happy birthday GDPR! May the terrible twos be short and merry.