This is the first in a three-part series on GDPR now. It is based on a webinar that we aired on May 27, 2026. A recording of the webinar can be found here.
When GDPR came into force in 2018, many organisations treated it as a major compliance project. Privacy notices were rewritten, data maps were created, records of processing were documented and staff were trained on the basics. For many businesses, that first phase was about getting the foundations in place.
Eight years later, the challenge is different.
GDPR is no longer new, but it is also not static. It has evolved through enforcement action, court decisions, regulatory guidance, technological change and the rise of AI. Organisations that were compliant in 2018 may not be compliant today if their systems, suppliers, data uses and governance processes have changed.
The question is no longer just do we have GDPR documents? It’s now, does our GDPR programme reflect how our organisation actually operates now?
Why this is relevant now
Most organisations have changed significantly since 2018. They use more cloud platforms, more third-party vendors, more AI-enabled tools and more complex data flows. A privacy notice written several years ago may not explain current processing. A DPIA completed for a project at launch may not reflect how that system is now used. A supplier review completed during onboarding may not reflect new sub-processors, international transfers or AI functionality added later.
That is why GDPR compliance now needs to be treated as an ongoing governance issue, not a historic compliance exercise.
From documentation to accountability
In the early days of GDPR, accountability was often understood as a documentation task. Organisations focused on having the right notices, registers and procedures. Those documents still matter, but regulators increasingly expect to see the thinking behind them. They want to understand how risks were identified, who owned the decision, what safeguards were considered and how the organisation monitored whether those safeguards worked.
A completed DPIA is not enough on its own. Organisations need to show what changed because of it. Did the assessment identify a risk? Was that risk accepted, reduced or escalated? Who approved the decision? Was the assessment reviewed when the system changed?
Accountability has become an audit trail of judgement.
This is particularly important because enforcement is increasingly focused on governance failures. Regulators are not only looking at whether something went wrong. They are asking whether the organisation had systems in place to identify and manage the risk before it became a problem.
Transparency has changed too
Transparency was once closely associated with privacy notices. Many organisations responded by producing long, legalistic documents that technically explained how data was processed, but were difficult for ordinary people to understand.
But that approach is no longer enough. Modern transparency means giving people clear, practical explanations about how their data is used, why it is used and what impact it may have. This matters even more where organisations use automated decision-making, profiling or AI tools.
A customer should be able to understand how their data affects the services they receive. An employee should be able to understand how monitoring works. A job applicant should be able to understand whether technology played a role in a recruitment decision. The test is not whether the information exists somewhere in a privacy notice. The test is whether a real person can understand it at the point it matters.
Risk assessment must be live
Another major shift is that data protection risk is no longer something that can be assessed once and filed away. A system may start as low risk, but become higher risk over time. A chatbot initially used for basic customer queries might later be connected to customer accounts, integrated with third-party AI services and used to analyse conversations for performance insights. The original DPIA may no longer reflect the true risk.
This is now one of the biggest practical weaknesses in GDPR programmes. Organisations often complete risk assessments at the start of a project, but fail to revisit them when the project changes.
GDPR compliance needs review points. These might be triggered by new data uses, new suppliers, new AI features, international transfers, changes in retention, new security risks or complaints from individuals. Without that ongoing review, organisations may be relying on outdated evidence.
Enforcement is becoming more systemic
GDPR enforcement has also matured. In the early years, much of the public attention was on the size of fines. Now, the more important issue is what regulators are investigating.
They are looking for patterns. Was this an isolated mistake, or evidence of a wider governance problem? Were staff properly trained? Was too much data collected? Were warning signs ignored? Did leadership understand the risk? Were people able to exercise their rights?
That makes weak governance harder to defend.
A one-off error can often be corrected. But repeated issues, poor records, outdated assessments or unclear ownership can suggest a deeper compliance failure.
The practical lesson for organisations
The organisations best placed to manage GDPR risk are those that understand how data actually moves through the business. That means keeping records up to date, reviewing suppliers, checking whether AI tools are being used, maintaining clear breach and rights request procedures and ensuring staff understand their role.
And training is crucial. GDPR risk often starts with everyday actions like uploading personal data into an unapproved tool, exporting a spreadsheet, sharing a file with a supplier, keeping informal employee notes or failing to recognise a subject access request.
People do not need abstract legal theory. They need practical, role-specific guidance that helps them make better decisions.
GDPR is now business infrastructure
GDPR has matured into part of the basic infrastructure of modern business. It underpins customer trust, employee rights, digital transformation, AI governance and regulatory resilience.
The organisations that manage GDPR well will not be those with the longest policies. They will be the ones that can explain their data decisions, evidence their controls, train their people and update their governance as technology changes.
Eight years on, GDPR compliance is not about proving that work was done in 2018.
It is about proving that data protection is still working today.
