With 2025 marking the seventh year since the implementation of the General Data Protection Regulation (GDPR), we have spoken with industry experts to gather their thoughts on the impact of the act, whether it’s still effective several years on, and what is next for data protection in the UK specifically.
GDPR: A lasting legacy
Despite many changes to the political and technological landscapes since GDPR was introduced, “its influence remains embedded in the foundations of international data protection,” according to Terry Storrar, Managing Director at Leaseweb UK. “This is particularly evident with the data centre industry and MSPs, which sit at the very heart of the UK’s and Europe’s digital infrastructure. While the regulatory landscape keeps evolving at an increasingly steady pace to keep up with new technologies, GDPR principles remain the cornerstone of data protection efforts in Europe and the UK.”
Ricardo José Garrido Reichelt, Principal Security Technologist EMEA, Office of the CTO at Commvault, agrees that GDPR remains vital.“The initiatives that GDPR started in 2018 are now being continued and updated by new regulations, such as NIS2, with the goal of encouraging companies to make their digital processes and infrastructures more robust so they can better withstand cyberattacks,” he says. “Those who have done a good job of complying with GDPR will reap the benefits when it comes to NIS2 compliance, even if some gaps remain.”
And GDPR has undeniably had a transformative impact on businesses across the UK. Glenn Akester, Technology Director for Cyber Security & Networks at Node4 points out that GDPR shone a spotlight on data protection, taking it “from a legal formality to a boardroom issue, with 74% of mid-market organisations ranking compliance with industry regulations as a priority, according to our latest research. While not always popular, it has delivered real results, and now forms the foundation for ongoing reforms via the Data Use and Access Bill to simplify compliance and reduce administrative burden. The core principles of GDPR – fairness, transparency, and accountability – remain solid. But with the rise of AI, IoT, and automated decision making, the law now needs refining to stay practical and relevant.”
The evolution of GDPR
It is clear that GDPR has transformed the way we think about data protection, and will continue to provide a crucial foundation for further legislation. The question now is, how will it inform future regulations, and what will change?
We are already seeing other more stringent regulations coming through, such as NIS2, as Commvault’s Reichelt comments, “the reporting requirements for cyber incidents under GDPR and NIS2 are very demanding, mandating reports within 72 and 24 hours, respectively. Only those who can act immediately, remain operational and move on to attack analysis will be able to meet the tight reporting requirements. To achieve this, they should follow the concept of the
‘Minimum Viable Company.’ This concept defines in advance exactly which infrastructure and systems, applications, processes, and environments are absolutely necessary to maintain emergency operations. In contrast, companies that are not so prepared need an average of 24 days to get back up and running after a cyberattack – 24 days versus the 24 hours required by the requirement.
“NIS2 will very likely lead to an overall increase in security levels, making it more difficult for hackers and bad actors to compromise critical infrastructure. And this increased cyber resilience will ultimately be a competitive advantage. We’ve become accustomed to cyberattacks being part of everyday life. And thanks to NIS2, we’ll hopefully get used to companies being better able to withstand attacks and get back online within a few days or hours, not weeks or months.”
Leaseweb’s Storrar examines GDPR’s capacity for change, arguing that while “GDPR has certainly not stood still in past years, technology continues to outpace regulation. The rate of recent change – particularly the explosion of emerging AI technologies – highlights the many challenges regulation faces and reminds us of the importance of continued development of data protection regulation.”
Akester shares a similar sentiment, stating “GDPR does apply to AI, but its definitions are being stretched by modern AI capabilities, with regulators increasingly accepting that training data may still carry personal identifiers, even when buried deep in models. Synthetic data offers a promising privacy preserving route, but it’s underdeveloped in UK law.”
So what’s next for UK regulation?
Since leaving the EU, the UK has been able to chart its own path on regulation, and industry experts are keeping an eye on how both parties move forward with their legislation. For Storrar, “with continued calls for European data sovereignty, both the UK and EU are focussing more on digital autonomy and reducing dependence on foreign cloud providers. Growing geopolitical concerns and heavy dependencies on infrastructure outside of Europe means that data centres and MSPs will play a critical role in enabling this shift. Considerations on where data is stored, who controls it and how it’s accessed will be crucial.”
When it comes to implementing new and updated data protection regulations, Akester believes “the UK’s current reforms aim to cut red tape while keeping core rights intact. Flexibility, such as clearer legitimate interest provisions, allows responsible innovation. The Government is also avoiding overly prescriptive AI laws (unlike the EU’s AI Act), preferring regulator led guidance – a more flexible stance which may prove to be a competitive advantage. The UK’s proposed Data Use and Access Bill is an evolution, not a rewrite, aiming for a more business-friendly, innovation-focused version of GDPR while preserving its core protections. For mid-market firms, this is a chance to simplify compliance, support innovation, and stay ahead of what’s coming.”
Storrar concludes: “In a digital landscape that is transformed by AI, cloud-native architectures, and geopolitical shifts, GDPR’s legacy is undeniable, and its continued relevance stems from its adaptability. For data centres and MSPs this means staying compliant by not just following the rules but anticipating them.”
