The common reasoning has been that the GDPR is only successful if regulators are issuing fines and penalizing companies. We think this line of thinking is flawed.
Its success can be measured by how it has been driving cultural change regarding privacy/data protection within EU domiciled and global organizations.
Additionally, there’s great value in the guidance and consulting that data protection authorities have been providing to help companies become compliant with GDPR — And in terms of educating data subjects about their rights.
Another key measure of success is the cascade effect we have seen in terms of developing countries enacting privacy and data protection laws to meet GDPR adequacy requirements as well as create a regime for securing privacy rights within their own jurisdictions.
Of course there is still much work to do, but a lot of progress has been made. Let’s not underestimate the paragigm shift in the privacy ecosystem that the GDPR has precipitated.