Four years of GDPR

Anshul Bharadwaj
3 min readMay 13, 2022


May 25, 2022 will mark the 4th anniversary of General Data Protection Regulation (GDPR) — the toughest privacy & security law in the world. The basic protocols of GDPR are targeted at how the companies around the globe will operate their client’s personal information legally within the EU.

GDPR imposes a uniform data protection law all over the EU so that each member state no longer ought to implement its own data protection law and the fact one law is harmonious across the entire EU.

It requires the companies to protect personal data and privacy of EU citizens. GDPR provides protection to Personal Data (name, home/office address, various ID numbers), Tech Data (cookies, IP address, etc.), Medical & Health Data, Biometric Data, Ethic Groups, one’s Political views, among others.

GDPR replaced EU’s old Data Protection Directive of 1995. As per the GDPR, companies are required to safeguard personal data and privacy of all EU citizens, in and outside of EU as the GDPR has an “extra-territorial effect” as said under Article 3 of GDPR. As per Article 23 & 30 of GDPR, the companies operating in EU need to come up with a measure to protect the client’s personal data against loss or exposing.

Companies operating in EU must appoint a Data Protection Officer (DPO) who will make sure the company is meeting with the regulations of the GDPR and that the data protection program of the organization is as per the GDPR compliance.

Since its implementation more than 2,50,000 data breaches have been reported and over 500 fines have been so far, which no doubt has a revenue of over hundreds of millions. 20 million euros or 4% of worldwide revenue is the highest fine under the GDPR. Google, Tim-Telecom Italia, Marriott International Hotels, H&M and British Airways are the major corporations that have been fined under GDPR. Recently, Ireland’s Data Protection Commission fined Twitter USD 547,000 for violation of not reporting a data breach in accordance with the GDPR.

The EDPB — European Data Protection Board has published many guidelines over the last 3years which makes the GDPR the toughest privacy & security law in the world. In the long term, we can expect the GDPR to much more focus on issues like biometric data, AI & its compatibility like how much you can depend on AI.

Apart from GDPR, 12–14% of nations have one or other data privacy & protection law. statistically 70–75% of the world jurisdiction will have a data protection law by 2024. Countries like India, Brazil, Argentina, etc. have started drafting & enacting data protection laws post GDPR. India have recently drafted the bill — The Data Protection Bill 2021.

GDPR, has no doubt raised consciousness amongst the nations on how to act in accordance with rules regarding processing of personal data and the need for a data protection law.



Anshul Bharadwaj

Lawyer, Travel & Wildlife Photographer, Author 2x Photography Books, Aviation Geek