Data Privacy and Security in the Digital Age: Legal Duties under the GDPR and Emerging Challenges

  • Home
  • Data Privacy And Security In The Digital Age: Legal Duties Under The GDPR And Emerging Challenges
Blog preview image

Abstract
In an era defined by digital transformation, the protection of personal data has become a critical concern. With cyberattacks and data breaches rising sharply, the importance of data privacy and security has gained global recognition. The General Data Protection Regulation (GDPR), introduced by the European Union, sets out stringent obligations for organizations handling personal data, demanding both robust data security and respect for individual rights. This article explores the key legal duties imposed by the GDPR on data controllers and processors, focusing on Articles 5, 6, and 32. It examines the nature of contemporary cybersecurity threats, evaluates landmark enforcement cases such as Google LLC v CNIL and the H&M breach, and assesses the challenges faced by organizations in achieving compliance. Through legal analysis and practical insights, the paper concludes with recommendations for safeguarding privacy and maintaining accountability in the face of evolving digital risks.

Introduction
Personal data is a valuable asset in today’s digital economy, but it also represents a significant risk when improperly handled. The explosion of data-driven technologies has dramatically increased the volume, sensitivity, and exposure of personal information, making it a prime target for malicious actors. Major data breaches have affected millions of individuals and raised critical questions about accountability and legal protection.

The General Data Protection Regulation (GDPR), effective since May 25, 2018, represents the European Union’s response to these concerns. It seeks to harmonize data protection standards across member states and grant individuals greater control over their personal information. This paper examines the legal duties under the GDPR related to data privacy and security, outlines the threat landscape, and identifies key compliance challenges. It argues that while the GDPR provides a strong framework, ongoing diligence and adaptation are required to uphold privacy in an era of constant digital change.

 

 

 

Legal Background: GDPR and Data Protection Obligations
The GDPR applies to any entity that processes the personal data of individuals within the European Economic Area, regardless of where the organization is based. The regulation establishes a wide array of obligations for both data controllers (those who determine the purpose and means of processing) and processors (those who handle data on behalf of controllers).

Core Principles (Article 5)
Article 5 of the GDPR outlines fundamental principles for data processing:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

These principles must be embedded into every stage of data processing and supported by clear documentation and policies.

Lawful Basis for Processing (Article 6)
Organizations must establish a lawful basis for processing personal data. Common bases include:

  • Consent
  • Performance of a contract
  • Legal obligation
  • Vital interests
  • Public interest
  • Legitimate interests of the controller, balanced against individual rights

Security of Processing (Article 32)
Article 32 mandates the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes:

  • Pseudonymization and encryption
  • Ensuring confidentiality, integrity, availability, and resilience of systems
  • Ability to restore data access in case of an incident
  • Regular testing and evaluation of security measures

Modern Threat Landscape and Legal Implications
The threat landscape continues to evolve. In recent years, ransomware, phishing, insider threats, and supply chain attacks have dominated headlines. The MOVEit breach (2023), for example, affected governments and private firms across multiple countries, exposing sensitive personal and corporate data. Under the GDPR, such incidents trigger significant obligations, including breach notification within 72 hours (Article 33).

Other recent cases include the 2023 ransomware attack on the UK's Royal Mail, which temporarily halted international deliveries and led to potential exposure of customer data. Similarly, the 2023 data breach at Latitude Financial in Australia, which compromised sensitive information of over 14 million individuals, demonstrates how even sophisticated organizations can fall victim to evolving threats. These cases highlight the urgent need for organizations to go beyond compliance and implement holistic security practices that encompass prevention, detection, and response.

Controllers and processors must not only prevent breaches but also prepare for them. Non-compliance can result in severe fines—up to €20 million or 4% of global annual turnover, whichever is higher. In addition to financial penalties, data breaches erode public trust and can result in long-term reputational damage that affects business continuity and customer loyalty.

Case Study 1: Google LLC v CNIL (2019)
This landmark case involved a dispute over the scope of the "right to be forgotten." The French regulator, CNIL, had ordered Google to delist certain search results not just within the EU, but globally. The Court of Justice of the European Union (CJEU) ruled that the GDPR does not require global de-referencing, highlighting the balance between data protection and freedom of expression. This case underscored the GDPR’s extraterritorial limits and emphasized proportional enforcement.

Case Study 2: H&M GDPR Fine (2020)
In Germany, clothing retailer H&M was fined €35.3 million for excessive and covert surveillance of employees, including the recording of health and family information. The company failed to demonstrate a lawful basis or data minimization, violating Articles 5, 6, and 9. This case illustrated the importance of transparency and appropriate access controls within internal data governance. In response, H&M implemented training programs and a new privacy compliance infrastructure—emphasizing that remediation is an essential element of enforcement.

Recent Legal Commentary (2023–2024)
Recent scholarship has focused on the GDPR’s adaptability to AI and big data environments. Peoples (2025) argues that while GDPR offers a strong base, the complexity of algorithmic systems introduces accountability gaps that traditional compliance tools cannot fully address. Similarly, Barrett (2023) emphasizes the need for dynamic risk management and the integration of privacy-by-design in modern systems.

Other scholars, such as Munde and Koller (2023), have explored the intersection of GDPR and cybersecurity frameworks such as ISO/IEC 27001. Their work underscores the benefits of aligning legal compliance with technical standards, promoting a cohesive approach to risk management and privacy assurance. Gervais (2017) provides a broader copyright-focused lens, suggesting the need for international reform to accommodate digital shifts, while Bygrave (2014) outlines foundational principles of data privacy law that remain relevant in today’s regulatory landscape.

Compliance Challenges and Best Practices
Despite legal clarity, organizations often struggle to implement GDPR-compliant systems. Common issues include:

·       Inadequate risk assessments

·       Over-reliance on outdated security technologies

·       Failure to keep policies and procedures updated

·       Poor employee training on data handling

·       Lack of integration between legal, IT, and operational departments

Best Practices Include:

·       Data Protection Impact Assessments (DPIAs): especially for high-risk activities (Article 35)

·       Strong Access Controls and Encryption: to protect integrity and confidentiality

·       Regular Audits: to evaluate system resilience and policy effectiveness

·       Clear Breach Response Plans: including timely notification and mitigation

·       Training and Awareness Campaigns: to instill a culture of privacy across the organization

·       Adoption of Privacy-Enhancing Technologies (PETs): such as homomorphic encryption and federated learning to minimize exposure

·       Alignment with International Frameworks: including ISO/IEC 27001, NIST Cybersecurity Framework, and ENISA guidelines

These measures, when integrated into a comprehensive data governance strategy, enhance not only compliance but also operational resilience and trust.

International Perspectives on Data Protection

While the GDPR remains a gold standard for data privacy, global counterparts offer varying degrees of protection. For instance, the California Consumer Privacy Act (CCPA) grants U.S. consumers rights similar to those under the GDPR—such as the right to know, delete, and opt out of data sales—but it lacks the GDPR’s comprehensive structure and strict breach notification timelines. Meanwhile, China’s Personal Information Protection Law (PIPL), enacted in 2021, emphasizes state oversight and requires localization of sensitive data. These legal variations present a challenge for multinational companies, which must navigate multiple regulatory frameworks. However, convergence on principles like data minimization and user consent indicates a growing global consensus on core privacy values.

 

Conclusion
While the GDPR represents a landmark effort in regulating data privacy, its implementation in the digital workplace reveals a number of unresolved tensions. Legal compliance often lags behind technological innovation, leaving gaps in areas such as AI-driven decision-making, algorithmic transparency, and international data transfers. Despite its strong foundational principles, the GDPR alone cannot address all emerging threats—particularly those stemming from opaque algorithms and the global nature of data ecosystems.

Organizations frequently treat compliance as a checkbox exercise rather than a dynamic, ethical responsibility. This reactive mindset undermines both employee trust and long-term legal resilience. Moreover, the increasing use of workforce analytics, biometric monitoring, and predictive systems raises serious concerns about proportionality, informed consent, and surveillance creep—issues that the current legal framework only partially addresses.

Looking forward, a more integrated approach is needed—one that combines legal rigor with ethical foresight and technical innovation. European lawmakers must continue to refine the GDPR in light of real-world challenges, ensuring that enforcement mechanisms keep pace with data practices. At the same time, organizations should not wait for legal mandates to act. Proactive engagement with data ethics, transparent governance, and inclusive policy-making will be essential in shaping a digital future that respects both innovation and individual rights.

Subscribe

Subscribe to our newsletter, stay updated with us

Enter your e-mail to get the latest news.

Quick Question?