While some might be looking for holes to pick in Europe’s General Data Protection Regulation, the rules have laid the foundations of a safer and more consumer-empowered digital economy.

The European Commission might be cumbersome, bloated and short-sighted in some areas, but GDPR should be applauded. These are rules to govern a digital economy which offer control to the consumer, forces transparency on corporations and drives regulators towards a digital mindset. The success of these rules should also be judged on those who follow; Chile, South Korea, Brazil, Japan, Kenya, India and California has all been spurred on to redraft and reimagine privacy.

However, it would be irresponsible to suggest this has been a perfect implementation.

“The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection,” said Didier Reynders, the European Commission’s Commissioner for Justice. “We can do better though, as today’s report shows.

“For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with Member States, so that the GDPR can deliver its full potential.”

Theoretically, the rules are sound, but it is the reality of GDPR which is perhaps falling short. As Reynders points out, the rules have been haphazardly applied across different European nations, while they are still overly complicated for some SMEs.

Looking at the national data protection authorities (DPA), those empowered to uphold the new digital privacy standard, there is a lot of work to be done. Budgets have increased 49% between 2016 and 2019, while headcount has increased 42%, however this is not uniform across the Union.

Open source web browser Brave has been particularly critical of the implementation of GDPR, directing disapproval towards certain nations who are seemingly non-fussed by the rules. For example, Estonia’s DPA has an annual budget of €800,000 while Romania’s has €1.3 million. These are extreme examples, but half of the nations have budgets less than €5 million, and only six have more than 10 specialist tech investigation staff.

Other questions have been raised as to whether the rules are flexible enough to deal with the introduction of new technologies.

“Whilst we’ve seen some justifiably big fines dished out, unfortunately, as organisations continue to digitally transform, the lack of clarity around new technologies like blockchain and AI is actually mostly hitting law-abiding companies that are just trying to be compliant,” said Chris Harris, EMEA Technical Director at Thales.

“We need to ensure GDPR operates as the protective bubble around personal information that we all want, without restricting the innovation and development that the world needs from these disruptive technologies.”

While it hardly uncommon for companies to poke the bureaucratic bear, progress has been made. Fortunately for everyone involved, the European Commission recognises its shortcomings in delivering GDPR, though Governments and national regulators should also shoulder their fair share of the blame.

More can be done, but it was never going to be a perfect implementation and anyone who says otherwise should not be considered a rational individual.