I’ve had the privilege of working in data privacy since the General Data Protection Regulation was introduced in 2016. I’ve watched attitudes to data protection change and learned a few things along the way, some of which I’d like to share with you today.

The shift in corporate behaviour and attitudes

When the GDPR was first announced in 2016, the initial reaction in many organisations was to regard the regulation in the same way as they had once regarded Y2K: a major, expensive project that would be completed once and then safely left behind. There was a rush to hire consultants to cobble together a framework, update privacy notices, review contracts, introduce cookie notices and produce policies and procedures so that they could ‘prove’ their compliance. In those days, my most common utterance was, “It’s the law” in my never-ending attempt to instil in people’s minds that the GDPR was here to stay and not something to be forgotten like data subject rights.

Finding a suitably qualified DPO was nigh impossible, and organisations couldn’t see the problem in appointing ‘Joe from IT’ as their DPO, nor the apparent conflict of interest with appointing their existing CRO, CIO, or head of Internal Audit to the role.

As time has passed, fewer organisations behave as though compliance can be bought once, documented neatly and then forgotten (although many remain set in their old ways). These companies may have excellent policies, polished retention schedules and carefully drafted notices, but such documents have little value if they are not reflected in real operational behaviour.

Nowadays, a more mature view of the GDPR is emerging. One that understands that effective compliance depends on evidence: training people properly, monitoring what happens in practice, reviewing supplier arrangements, testing incident responses, updating records of processing and revisiting risk when products, systems or business models change. Privacy programmes now live in many organisations, not just in their files.

The greatest incentive to corporate boards wishing to invest in data protection is not the possible fine of 4% of global turnover, but the understanding that privacy is all about trust and that this trust is good for business. Consumers purchase more from companies that they trust, and employee engagement is much higher where there is strong trust in the employer.

Public attitudes

In the years leading up to and immediately following implementation, any passing mention of the GDPR often triggered a mixture of anxiety, scepticism or annoyance. People just didn’t want to know, or were willing to lay blame on the law as an unnecessary obstacle to them performing their job functions or private affairs.

Public awareness has matured over time. In 2016 most people had not even heard of the GDPR. In 2018, many individuals knew that the GDPR existed, but few understood what it meant in practical terms. Since then, people have become more familiar with data subject access requests, cookie consent, data breaches, children’s privacy and targeted advertising. Additionally, individuals are starting to understand the commercial value of their personal data. People may not always use technical legal language, but they are far more likely to ask who is collecting their information, what it is being used for and whether they really have a meaningful choice. That change matters. The GDPR has helped shift privacy from being a niche legal topic into a mainstream issue of fairness, transparency and power in the digital economy.

The role of the privacy professional

In 2016 through 2020, privacy professionals were often seen as the people who arrived to stop projects, complicate marketing plans or deliver unwelcome news. Today, while that perception has not disappeared entirely, the role is better understood.

Nowadays I find that when I mention my role, most people are at least interested enough to ask for further information or tips and tricks (even if it’s only how to avoid doing something onerous). Many people are willing to ask thoughtful questions about data ethics, lawful bases, AI tools, monitoring technologies and customer expectations.

These days the data protection conversation is much wider. Businesses must think about cross-border transfers, adtech, vendor ecosystems, algorithmic decision-making, children’s data and the interaction between privacy law and newer EU digital rules. Regulators are also coordinating more closely. The result is a more mature but also more demanding landscape with fewer simplistic answers, more scrutiny of substance, and a stronger expectation that organisations must justify how and why they process personal data.

Privacy specialists are increasingly brought into wider conversations about product design, procurement, security and reputation. That does not mean the job has become easier; if anything, it has become broader. The GDPR operates alongside a growing body of digital regulation, and privacy teams are expected to help organisations navigate complex overlaps rather than simply quote rules.

Overall

Indeed, a lot has changed since 2016 but there’s still quite a way to go. People’s knowledge has increased and boundaries have been expanded. Personal data is no longer something organisations can assume they are free to exploit without question. It now carries legal weight, reputational risk and, increasingly, public scrutiny. That is the real shift. The GDPR did not finish the argument about privacy; it started it. And unlike the frantic countdown to Y2K, this was never going to end when the clock struck midnight.

With the development of technologies which create both major new opportunities as well as significant challenges for those who are responsible for looking after people’s information, the GDPR era is really only just beginning, and any organisation that thinks otherwise is already behind the times.