More than two years after the EU introduced the General Data Protection Regulation (GDPR), a report from the European Commission on the regulation’s progress makes for interesting reading. In it, the commission speaks of the many positives delivered. "Citizens are more empowered and aware of their rights. The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability Individuals also have the right to lodge a complaint with a data protection authority and to seek an effective judicial remedy."

Today, around 69% of the population above the age of 16 in the EU are said to have heard about the GDPR and 71% of people about their national data protection authority, according to results published in a survey from the EU Fundamental Rights Agency. "The GDPR has empowered individuals to play a more active role in what is happening with their data in the digital transition."

While GDPR has been widely celebrated - and even mirrored in some countries, like the United States with the California Consumer Privacy Act - it's also clear that the EU needs to take additional steps to make it a more effective deterrent, according to Chris Harris, EMEA technical director at Thales.

"Since its inception, there has been murmurs about its effectiveness, due to lack of clarity on compliance and fears around the resources and power each data protection authority (DPA) has to track and investigate the number of breaches that occur in their country. This is something that should have been sorted from the start, and not something that we are still talking about more than two years later - four plus, if you include the transition period!"

Harris acknowledges that there have been some hefty fines justifiably dished out, which have caught the headlines and impressed. But he also points to how, as organisations continue to digitally transform, the lack of clarity around new technologies like blockchain and AI is actually mostly hitting law-abiding companies that are just trying to be compliant. "We need to ensure GDPR operates as the protective bubble around personal information that we all want, without restricting the innovation and development that the world needs from these disruptive technologies.

"Smaller companies may have found compliance harder, not only due to the complexity and potentially onerous nature of the requirements, but because many vendors with GDPR-focused solutions were understandably scaling their offerings for the larger organisations. With a continued increase in the migration to the cloud, this has perhaps now become simpler with the advent of solutions such as cloud-agnostic key management solutions and subscription-based data-protection-on-demand services."

In order to be truly effective, the EU needs to give clearer instructions on how to be compliant that are consistent across each country, he adds, "while giving local DPAs more resources to pursue heavy penalties against companies that are intentionally putting their customers' data at risk".