The General Data Protection Regulation (GDPR), which took effect in May 2018, marked a major turning point in how organisations manage data security. Seven years on, the picture is mixed. While GDPR has undoubtedly improved the protection of personal data across Europe, compliance and security challenges remain significant for most organisations. A 2025 survey by Gartner shows that 58% of organisations still view GDPR compliance as a major priority, while 42% report experiencing significant difficulties implementing it.

Concrete advances from GDPR

GDPR has fundamentally changed organisational practices. First, it mandated data traceability, requiring organisations to document precisely who processes what and why. Second, it strengthened individual rights: access, right to be forgotten, data portability. These rights forced organisations to modernise their IT systems and processes. Third, GDPR requires breach notification within 72 hours, pushing companies to invest in intrusion detection and incident management. According to France’s National Commission for Data Protection (CNIL), France records approximately 800 breach notifications per year, a figure reflecting better detection rather than an actual increase in incidents.

Persistent gaps

Despite these advances, significant gaps remain. Many organisations take a purely documentary approach to GDPR without implementing genuine security mechanisms. A 2025 analysis by Forrester found that 47% of European companies claim not to have conducted a complete audit of their personal data in three years. Moreover, subcontracting creates grey areas: security responsibilities are not always clearly defined between controller and processor. Small organisations in particular lack resources to implement truly robust security architecture, even when acknowledging legal obligation.

Toward regulatory strengthening

The Network and Information Security Directive (NIS2), which applies from 2025 across Europe, complements GDPR. It imposes stricter security obligations on certain sectors such as healthcare, energy and finance. GDPR and NIS2 now form an integrated framework: the first protects individual rights, the second ensures system resilience. Organisations must align their security strategies with both texts, requiring a holistic view of cyber risk and compliance culture embedded at management level.