Compliance Regulation Changes: What is the Influence of GDPR after Seven Years?
As of February 2025, the General Data Protection Regulation (GDPR) has been in effect for nearly seven years, and in that time has significantly influenced data protection practices worldwide.
In this article, we look at the influence of GDPR on global data protection laws and trends in compliance regulations as they evolve to contend with a rapidly changing data landscape that includes new phenomena such as artificial intelligence.
Impact of GDPR
The GDPR has established itself as a robust global privacy law, setting stringent standards for how organisations collect, handle and protect personal data of EU residents. GDPR’s implementation has led to notable improvements in data governance, monitoring and strategic decision-making regarding consumer data usage.
Organisations have become more proactive in addressing privacy and security concerns, partly owing to the potential of substantial fines imposed for non-compliance.
For instance, in January 2025, Meta was fined €1.2 billion for unlawful data transfers between the EU and the US, which marked one of the largest GDPR fines to date.
GDPR influenced business operations within the EU
A survey after five years of GDPPR indicated that 39.7% of respondents felt GDPR compliance positively affected their business, citing enhanced data security, increased company credibility and greater customer confidence.
Conversely, 17.7% reported negative impacts, including higher data storage and management costs, increased workload and limited marketing opportunities, especially concerning personalisation and the use of AI.
Compliance Pre-GDPR and Now: The Difference
Before GDPR, global compliance laws were fragmented, with weaker enforcement and fewer consumer rights.
Companies had broad discretion in data collection, often without clear user consent.
Post-GDPR, privacy laws worldwide have strengthened, emphasising explicit consent, data minimisation, accountability and transparency.
Heavy fines and global influence led to stricter laws among major trading countries such as the USA, China and Brazil, and stimulated data protection legislation worldwide.
In 2016, around 120 countries had enacted data privacy laws, although they were not as codified or as stringent at post-GDPR compliance laws. The number of countries with strict compliance regulations in place has grown significantly, driven by GDPR’s influence and the increasing global focus on data protection.
As of February 2025, 144 countries have enacted national data privacy laws, covering approximately 6.64 billion people, or 82% of the world's population.
The global trend indicates a growing recognition of the importance of data protection and privacy, leading to more comprehensive legislation worldwide.
Compliance now requires proactive data protection, cross-border transfer safeguards and AI governance. GDPR has had significant influence in reshaping business operations globally.
Current State of Affairs: GDPR Standards Intensifying
Enforcement of the GDPR has intensified over the years. As well as the huge Meta fine in 2025, TikTok was fined €345 million in September 2024 for violations related to children's data privacy and insufficient safeguards for young users.
GDPR standards are intensifying with stricter enforcement, record-high fines, expanded interpretations of data privacy laws, increased scrutiny on AI and biometric data, stricter cross-border data transfer rules, and growing national regulations aligning with GDPR. Businesses face heightened compliance demands, audits and evolving requirements for transparency and consent.
GDPR breach penalties underscore the EU's commitment to upholding data protection standards.
Compliance Challenges
However, challenges persist. Inconsistencies in enforcement among member states and varying interpretations of the regulation have been noted. Some countries face significant backlogs in investigations, partly owing to the complexity of the GDPR and differing national approaches.
Notable Consequences of GDPR
Over the past seven years, the GDPR has had significant impacts on businesses, consumers and regulatory practices worldwide. Here are some of the key impacts:
1. Increased Consumer Awareness and Rights
Consumers are far more aware of their data rights, such as the right to access, rectification and erasure (the “right to be forgotten”).
The number of data subject access requests (DSARs) has surged, with many businesses struggling to handle the volume efficiently.
2. Shift in Business Practices and Compliance Costs
Companies have invested heavily in privacy programs, legal teams and compliance frameworks to avoid penalties.
Many companies have reduced their data collection or adopted privacy-by-design principles.
3. Increased Global Influence on Privacy Laws
GDPR has inspired similar laws worldwide, including:
California Consumer Privacy Act (CCPA) (U.S.)
Brazil’s LGPD
China’s Personal Information Protection Law (PIPL)
Non-EU companies operating in the EU have had to adapt to GDPR’s extra-territorial reach.
4. Challenges for Digital Advertising and Marketing
GDPR has disrupted online advertising, particularly regarding third-party cookies and targeted ads.
Google announced plans to phase out third-party cookies, partly owing to GDPR pressures.
Businesses must now obtain explicit user consent for tracking and personalised advertising.
5. Increased Scrutiny of AI and Automated Decision-Making
GDPR’s strict rules on automated decision-making and profiling impact AI development and deployment.
AI systems that process personal data must be transparent and provide human oversight.
The EU AI Act is now building upon GDPR principles to regulate AI more explicitly.
6. Cross-Border Data Transfer Complications
GDPR’s restrictions on international data transfers have led to conflicts, such as:
The invalidations of Privacy Shield (2020), which disrupted U.S.-EU data transfers.
The introduction of the EU-U.S. Data Privacy Framework (2023) to replace Privacy Shield.
Many companies now use Standard Contractual Clauses (SCCs) to comply with GDPR when transferring data outside the EU.
GDPR has reshaped global privacy standards that hold businesses accountable for data protection while empowering consumers. However, challenges remain, especially around enforcement consistency, AI regulation and balancing compliance with business innovation.
Today’s Biggest Compliance Issue: Artificial Intelligence
As we move into the 8th year of the GDPR, the world is navigating an explosion of AI tools and systems in the workplace.
AI is an incredibly fast-moving space and as we start to see the emergence of the first AI legislation to come into force, it’s important to keep data protection, confidentiality and intellectual property top of mind when introducing AI tools onto your business.
Why are People Concerned about AI Data Compliance?
AI poses significant threats to data privacy, including mass surveillance, bias in automated decision-making and unauthorised data collection.
AI-driven algorithms can extract sensitive personal data, often without clear consent, which can lead to identity theft and profiling risks.
Deepfakes and AI-powered phishing attacks further exploit personal information, while large language models may inadvertently store and expose private data.
Weak regulations on AI data handling could exacerbate risks to data privacy, which makes updates to GDPR and global data privacy laws crucial for protection.
How are Compliance Laws Evolving to Tackle AI
Compliance laws are evolving rapidly to address the risks and challenges posed by AI.
GDPR already regulates AI-driven data processing, emphasising transparency, fairness and human oversight in automated decision-making.
However, stricter frameworks are emerging, such as the EU AI Act, which categorises AI systems by risk level and imposes stricter requirements on high-risk applications like facial recognition and hiring algorithms.
The U.S. AI Bill of Rights and China’s AI regulations also emphasise accountability, bias mitigation and consumer protections.
Additionally, regulators are updating GDPR enforcement to ensure AI models comply with data minimisation and purpose limitation principles.
Future laws are most likely to focus on explainability, ethical AI use and stricter corporate responsibilities to prevent discrimination and data misuse.
How Quickly are Data Privacy Laws Changing?
The California Consumer Privacy Act (CCPA) provides an example of how quickly data privacy protection laws are changing to contend with the evolving data landscape.
The CCPA has evolved significantly since its introduction in 2020.
In 2023, the California Privacy Rights Act (CPRA) amended the CCPA by expanding consumer rights and imposing stricter business obligations.
The CPRA introduced sensitive personal data protections, automated decision-making transparency and stricter data retention policies.
The amendment also created the California Privacy Protection Agency (CPPA) for enforcement. Looking ahead, California is considering further AI-specific regulations to ensure fairness, explainability and accountability in AI-driven data processing.
Future of Compliance Legislation
The GDPR has sparked a global movement toward enhanced data privacy regulations. Many countries have enacted or are developing laws mirroring the principles of GDPR. Several new data privacy laws have been introduced worldwide, influenced by the GDPR's framework.
In the United States, while there isn't a federal law identical to the GDPR, various state-level regulations have emerged, and U.S. companies that process data of EU residents must comply with the GDPR.
Looking ahead, compliance legislation is expected to evolve, focusing on areas such as artificial intelligence, cross-border data transfers and the rights of individuals over automated decision-making.
Organisations will need to stay informed and adapt to these changes to ensure ongoing compliance in an increasingly complex regulatory environment.
Compliance Technology Trends
While the trend in data compliance regulations has seen them spread and intensify globally, so technology has evolved rapidly to help organisation to cope with and manage compliance complexities.
Talk to Facit about how to automate data privacy compliance when operating CCTV or body worn cameras, and when storing and sharing video footage. Or to protect personal data compliantly in your organisation’s documents.
