Marking 10 years of the GDPR: the evolution of the European data protection landscape

This publication from the European Data Protection Board marks the tenth anniversary of the GDPR by reflecting on its evolution and current enforcement priorities. While no new legal text or binding guidelines were issued, the EDPB uses this milestone to reaffirm key areas of focus: the increasing importance of data protection by design and default, the need for robust accountability measures, and the growing scrutiny of algorithmic decision-making and AI systems. The document signals that supervisory authorities are now more coordinated and aggressive in cross-border enforcement, particularly regarding large-scale data processing and the use of personal data for training AI models.

All organizations processing personal data of individuals in the EU remain affected, but the EDPB specifically highlights sectors heavily reliant on automated profiling and high-risk processing, such as technology companies, financial services, healthcare, and digital advertising. Small and medium enterprises are also reminded that the principle of accountability applies proportionally, meaning they cannot rely on limited resources as a blanket excuse for non-compliance.

Compliance teams should immediately review their data protection impact assessments, especially for any AI or machine learning projects, and ensure that records of processing activities are up to date. Teams should also verify that their data protection officer is adequately resourced and that internal procedures for handling data subject requests are efficient. Finally, organizations should prepare for more frequent and coordinated audits by national supervisory authorities, particularly around the transparency of automated decisions and the lawful basis for data use in emerging technologies.