The General Data Protection Regulation (GDPR) is a comprehensive data protection law designed to give individuals greater control over their personal information and to hold organisations accountable for the way they collect, use, and store personal information.

Multiple challenges with the enforcement and application of the GDPR have put its success at risk. People have made use of their GDPR rights and filed complaints, but they can wait months, if not years, to see a remedy for data protection violations. Companies have become more aware of the need to consider privacy and data protection, but many have chosen a 'risk-based approach' to compliance, deciding which GDPR measures they will or will not comply with, in the hopes of avoiding heavy fines. These companies have not only put people's rights at risk, but in some cases may have gained an unfair advantage over companies that do make the effort to fully comply with the law.

The EU must ensure that the GDPR is a success to protect individuals' fundamental right to data protection and privacy, to ensure fairness in the digital economy, and to confirm its role as global leader in the protection of personal data. The GDPR is already a legislative success: now it needs to become an enforcement success story.

In this report, the author reflects on the importance of getting the enforcement right before providing concrete recommendations to improve the system.