skip to main content
Close Icon

In order to deliver a personalized, responsive service and to improve the site, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. By continuing to use this site and access its features, you are consenting to our use of cookies. To find out more about the way Informa uses cookies please go to our Cookie Policy page.

Global Search Configuration

Ovum view


After four years of negotiation of and amendments to the initial proposal issued by the European Commission in 2012, the new European General Data Protection Regulation (GDPR) is about to become a reality. It will replace a framework that dates back to 1995 and that is inevitably outdated for the digital age. However, practical implementation will be tricky in many respects and the new rules might not be as effective as is hoped. Businesses will have to deal with a framework oriented more to consumer protection, although they should be happy with the one-stop-shop principle, which could lead to significant compliance cost savings.

These rules might already be outdated for the IoT era

It has been a long time coming, but the new EU GDPR is finally set to see the light of day. It will still require a vote of the EU Parliament on the text agreed through negotiations between the European Commission, the European Council, and the EU Parliament itself, but Ovum expects the text to be adopted in the coming months. The vote will mean the passing of an unprecedented set of data protection rules – the first of the digital age, replacing a directive that is now 20 years old and was conceived when the Internet was in a very early stage of development. The old rules inevitably failed to capture the evolution in technology and user behavior and the new directive makes significant efforts to strengthen the protection of end users. These users are paying increasing attention to privacy issues and are ever more often worried about the personal data they share online.

Businesses will face much tougher sanctions than under the current framework – up to 4% of their annual worldwide turnover, which could in many cases amount to billions. However, they should be happy with the presence of the promised one-stop-shop mechanism. This should reduce the impact of compliance, because companies will mainly need to liaise with just one data protection authority for the whole EU.

However, many aspects of the new rules will be difficult to put into practice. One example is the issue of unambiguous consent. Policy-makers fail to define this clearly and it might be incredibly difficult to obtain in a few years’ time when IoT applications have become more widespread and originate an almost uncontrolled flow of personal data. Other aspects will still require individual authorities in each country to enforce the rules in detail, effectively retaining some of the inconsistencies of the current framework. For example, the age limit relating to parental consent for the use of “information society” services (i.e., social media and similar) will be set by each member state at between 13 and 16 years old. This is likely to be disruptive for both online companies and young users.


Further reading

Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)

Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)


Luca Schiavoni, Senior Analyst, Regulation

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700

Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

+44 (0) 207 551 9047 - Operational from 09.00 - 17.00 UK time

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 7770704398 or email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now