Ten years of GDPR:
balance sheet and outlook for Italian SMEs

Ten years of GDPR: the timeline that changed European privacy

On 24 May 2016 Regulation (EU) 2016/679 — the General Data Protection Regulation (GDPR) — entered into force. From that day onwards, citizens, businesses and public administrations had two years to prepare for the new European personal data protection regime, which became directly applicable on 25 May 2018. A deadline many still remember, especially anyone who, in the final months of that two-year transition, watched dozens of «update your preferences» emails land in their inbox.

In Italy the Privacy Code (Legislative Decree 196/2003) was harmonised with the GDPR by Legislative Decree 101/2018, which integrated the Regulation into national law while preserving a Garante for the protection of personal data with strengthened powers. In the ten years that followed the Regulation’s publication, several milestones reshaped the European data geography: the Schrems II ruling by the European Court of Justice (16 July 2020) that invalidated the Privacy Shield, the new Standard Contractual Clauses adopted in 2021, the EU-US Data Privacy Framework adopted in 2023 and, finally, the publication in 2024 of the AI Act and the EDPB Opinion 28/2024 on AI models.

It is a story of continuous evolution. And precisely for that reason, it is not a story you can archive: ten years on, the GDPR is not a closed chapter — it is an operating system in permanent update.

The fines that shaped GDPR case law

The cumulative figure is striking: according to the GDPR Enforcement Tracker — the independent database maintained by CMS Legal — as of May 2026 the fines imposed across Europe have exceeded €6 billion, spread over almost 2,900 proceedings. That amount records ten years of processing activities that the law considers unlawful — or at least insufficiently protected.

The largest cases are on every compliance professional’s radar:

• 1Meta Platforms Ireland — €1.2 billion (May 2023). The largest fine in the history of the GDPR, imposed by the Irish Data Protection Commission (DPC) for unlawful transfers of personal data to the United States on the basis of Standard Contractual Clauses after Schrems II invalidated the Privacy Shield. It is the price of European dependence on US Big Tech.
• 2TikTok — €530 million (May 2025). Transfer of European users’ data to China without adequate safeguards. The case reopened the question of non-equivalent jurisdictions and forced boards to ask a new question: where do our SaaS providers actually store our data?
• 3Meta / Instagram — €405 million (September 2022). For the processing of minors’ data. A fine whose cultural impact went beyond its financial size: product design for services aimed at minors began to treat «privacy by default» as a project variable, not a tagline.
• 4TIM SpA — €27.8 million (January 2020). The highest fine in Italy, imposed by the Garante on a large telecoms operator for «numerous unlawful processing operations» related to aggressive telemarketing: contacts without consent, contaminated lists, leads aggregated from third parties with no traceability. A textbook case that put the entire Italian B2C sector on notice.

To put the Italian figure in context: according to the Enforcement Tracker, by May 2026 the Italian Garante had imposed fines for more than €311 million, distributed across 538 proceedings — placing Italy fourth in the EU by amount and second by number of fines, after Spain. Numbers that should suggest caution, not complacency.

Privacy as a «nuisance»: a culture still immature

That said, there is an uncomfortable truth that anyone working with Italian SMEs knows well: ten years in, the GDPR is still seen in many companies as a bureaucratic nuisance. A chore to be outsourced to the external consultant who also looks after workplace safety — the same one who installs fire extinguishers, checks the ergonomic chair, and «while we’re at it, sorts out privacy too».

The script is familiar: pre-printed forms identical across industries (from a mechanical workshop to a dental practice), privacy notices copy-pasted from one client to the next, Records of Processing filled in once and never updated, controller-processor appointments that no one has ever read. The people having them signed don’t know what the documents say; the people signing them file them away without reading. When an employee or a customer asks for clarification, the answer is a variation on the same theme: «Sorry, it’s this privacy nonsense — though I bet you go and put your photo on Facebook anyway».

It is a schizophrenic attitude — fretting about the signature on a pre-printed form while ignoring the data left scattered across social networks, free SaaS tools and unofficial work chats — and it has a precise root: in ten years, most Italian SMEs have never invested in a privacy culture. They have invested (little) in formal compliance, often outsourced to non-specialist third parties. The result is apparent compliance that the first serious audit, or the first real incident, dismantles in hours.

The good news: companies that treated the GDPR as an opportunity to reorganise their processes — rather than as a chore — are at an advantage today. They use the Record of Processing as a real operating tool, they know where the data is, they have structured DPAs with cloud providers, they handle data breaches with rehearsed processes. And when NIS2, ISO 27001 or the AI Act show up, they already have the map.

SME privacy maturity: where we are in 2026

Official figures describe a slow but steady maturation. In its 2024 annual report to Parliament, the Garante for the protection of personal data handled over 4,000 complaints, adopted 835 measures (468 of them corrective or sanctioning), carried out 130 inspections and imposed fines for around €24 million. A significant share is concentrated on aggressive telemarketing (more than €6 million in 2024 alone) and on mismanaged data breaches.

On the SME side, the picture is consistent with what the Cyber Index PMI 2026 shows for cybersecurity: only 16% of Italian SMEs have an adequate security posture, and the figure drops sharply for micro-enterprises with fewer than ten employees. Privacy and security are two sides of the same coin: companies that are mature on both are still a qualified minority.

The recurring issues that emerge from Garante inspections and sector audits are always the same: incomplete or outdated Records of Processing, generic privacy notices to data subjects, missing DPIAs on high-risk processing (CCTV, biometrics, customer profiling), non-existent or boilerplate processor contracts (DPAs), staff training reduced to an annual email.

GDPR, NIS2 and ISO 27001: three converging pillars

The real innovation of the next decade will not be a new add-on regulation, but the convergence of frameworks that today still feel separate in many decision-makers’ minds. GDPR, NIS2 and ISO/IEC 27001:2022 converge on one operational point: information security as a continuous process.

• Article 32 GDPR. Requires technical and organisational measures «appropriate to the risk». A deliberately broad formulation that leaves the controller with the responsibility — but also the duty to document — to choose which measures to adopt.
• Article 21 of the NIS2 Directive (Legislative Decree 138/2024). Imposes proportionate cyber risk-management measures, with an explicit list of domains (incident handling, continuity, supply chain, training, cryptography). See also our deep dive on CSIRT outsourcing.
• ISO/IEC 27001:2022 — control A.5.34. «Privacy and protection of PII» is one of the 93 operational controls in the 2022 revision of the standard. For those certified to ISO 27001 — AtWorkStudio is, alongside the 27017 and 27018 cloud-services standards — privacy and security oversight is an integral part of the Management System, not a parallel activity.

The strategic value of treating the three frameworks as a single programme is huge: the same risk assessment feeds GDPR, NIS2 and ISO 27001; the same incident response procedure covers personal data breaches (GDPR) and significant incidents (NIS2); the same supplier governance answers art. 28 GDPR (DPA) and art. 21 NIS2 (supply chain). Three obligations, one operating machine.

The challenges of the next decade: AI Act, LLMs, deepfakes

The 2016 GDPR was drafted in a pre-LLM, pre-deepfake, pre-generative-AI world. The principles it established — minimisation, purpose limitation, lawful basis, accountability — have held up, but the processing technologies have changed radically. The challenges of the second decade are at least five.

• 1Training AI models on personal data. With Opinion 28/2024 the EDPB clarified that training an AI model on personal data requires a specific lawful basis (legitimate interest or consent) and that the output may still contain identifiable personal data even when the dataset has been anonymised. For SMEs, every new AI tool (in-house or SaaS) must be assessed with the same rigour as a traditional DPIA.
• 2Scraping of public data for lead generation and marketing. In 2026 the Italian Garante already sanctioned an Italian company for harvesting personal data from social media for lead generation. «Public» data does not mean «freely usable»: the original purpose still matters, decisively.
• 3Deepfakes and synthetic biometric data. A cloned executive voice, synthetic video of a CEO, realistic wire-transfer confirmations on the phone: synthetic biometric data falls within both the GDPR perimeter and the AI Act, as a high-risk category.
• 4Personal liability of directors and managers. Article 23 of Italian Legislative Decree 138/2024 (NIS2) introduced personal liability of administrative bodies for breaches of cyber risk-management duties. A 2026 ruling of the Court of Auditors in Bolzano applied the same principle to privacy fines in public healthcare. It is a paradigm shift.
• 5Data sovereignty and European cloud. After Schrems II and the EU-US Data Privacy Framework, the «where» of data has returned to centre stage. Our stance is clear: cloud on European data centres, encryption in transit and at rest, privileged access control, periodic audits.

What to do today in SMEs: a 5-point checklist

For anyone who wants to step out of the «pre-printed form» logic and do it properly, here is an operational checklist for 2026.

• 1Update the Record of Processing. Not as a formal exercise, but as an operational map: every new SaaS tool, every new supplier, every new marketing activity must be reflected in the Record within 30 days. Without a map, there is no governance.
• 2Run DPIAs on high-risk processing. CCTV, biometrics, profiling, automated decision-making, processing of minors’ data, generative AI applied to customers: all of this requires a DPIA — written, archived, kept up to date.
• 3Review supplier contracts (DPAs, art. 28). Cloud, SaaS and managed-service providers in particular must be governed with targeted DPAs defining security measures, sub-processors, data location. For NIS2-scoped entities, this also ties into the listing of relevant suppliers on the ACN platform.
• 4Train staff — seriously. Not a PDF to sign once a year, but periodic sessions with real cases: phishing drills, incident response simulations, exercises on responding to data-subject rights requests (access, erasure, portability). Untrained staff is the leading root cause of data breaches.
• 5Integrate GDPR and NIS2 incident response. A data breach can be reportable both to the Garante (within 72 hours) and to CSIRT Italy (pre-notification within 24 hours, formal within 72 hours). A single internal procedure can serve both channels — provided it is tested, not just written.

How AtWorkStudio supports GDPR-by-design

AtWorkStudio does not provide generic GDPR consultancy and is not a privacy firm. Our contribution is technical and operational: we process customer data as a processor (art. 28 GDPR) and provide an infrastructure that, by design, reduces the privacy attack surface. For customers who choose us as a qualified supplier, operating with ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications, ACN QC1 qualification on cloud SaaS services, and a public, contractually binding technical and organisational measures document drastically reduces the compliance friction on the customer side.

We have been operating from Piacenza since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN-qualified for cloud SaaS services, members of Clusit (Italian Association for Information Security) and affiliated to Confindustria Piacenza in the RICT cluster. For us, the GDPR is an operating system that has been running for ten years — and that we will keep running every day.