Regulators can be pleased with the magnitude of engagement with GDPR, and the fact it has helped to tip the dialogue in favour of privacy having a fundamental role in society.

The media agenda has shifted; consumers now increasingly expect transparency and more careful management of their data, and tech leaders have spoken openly about the importance of trust and putting privacy first.

The GDPR may also turn out to be one of Europe’s biggest exports: it is now inspiring (or at least informing) similar laws around the world, from India to China, from California to Brazil.

The EU regulators have introduced a pioneering piece of legislation that looks likely to set the bar for data privacy standards around the world, and offers opportunities for closer working practices among international privacy professionals in business and the regulators they engage with.

Six months on, regulators will expect firms' GDPR teething issues to be resolved. But the truth is that firms have been distracted by privacy and cookie policy concerns and simply aren't doing enough to ensure data is held securely and only available to those authorised.

Firms are still too reliant on in-house systems where data protection does not form part of the fabric of the technical architecture.

And worse, many still use spreadsheets and email as methods of storing and distributing sensitive data. Until these issues are addressed, firms are continuing to leave themselves exposed to a breach of terms and potentially damaging fines.

From what we have seen at Exonar, although most organisations have made some changes, as May passed many relaxed into a status quo where they have accepted their steps towards compliance but very few have fully achieved or are executing on a plan which takes them to full compliance.

Our view is that at the very least organisations should have a reliable system for identifying and mapping the personal data that they hold so that they can fully understand their risk.

Businesses have survived six months of GDPR, and now it’s time for them to start focusing on the finer details to make sure they are implementing it in a practical way for their customers too, preventing any headaches further down the line.

The right to data portability is one of the most fundamental, but also most contentious rights within the GDPR.

In an attempt to be GDPR-compliant, businesses scrambled to put together some form of data portability. Despite aiming to benefit consumers, they are instead being put at risk.

There are three main issues relating to data portability: usability, context and security. Yet data is being provided in difficult-to-decipher spreadsheets – making it hard for consumers to do anything with them.

On the security side, current processes are forcing consumers to take responsibility for something they aren’t qualified to do.

Current tools are falling short of what is required by law, and what is expected by customers.

Complaints to the Information Commissioners’ Office (ICO) about potential data breaches have more than doubled since GDPR came into force. This suggests it’s working in terms of tightening security around personal data and raising awareness of the importance of this.

However, it also indicates that GDPR has not fully succeeded in bringing organisations in line with its requirements. Enterprises of all sizes, in all sectors, continue to be caught out by basic gaps in their security strategies.

Research carried out by Apricorn in May found that two thirds of UK companies were not confident they’d be fully compliant with GDPR in time for the deadline. More than 80% cited at least one area in which they believed they might fall short, with a lack of understanding of their data the top-ranking concern. In light of this, it’s very likely that many organisations are still not operating completely within the guidelines.

Since GDPR took effect in May, it has been omnipresent in the lives of marketers, consumers, publishers, and brands across industries. Three months in, only 20% of companies were compliant, globally, and many still haven’t set themselves up to be accessible within the European market.

With that said, while many across the EU have endured an influx of emails, there’s a strong opportunity presented here by regulators. We’re not only seeing a shift in power in favour of the consumer, but also the ability for companies to highly target those consumers interested in their products and services. By engaging with more relevant audiences, brands in all sectors are in a better position to reach their end users and improve their bottom lines.

While regulators may continue to struggle with the nitty-gritty details of GDPR’s implementation, I think its original intended outcome has been quite successful to date, and will see increasing success as companies globally adopt the regulations.

There is no doubt that the implementation of the GDPR back in May has helped encourage businesses to gain consent before marketing to individuals and ensure they protect collated data.

However, there is still a large amount of work to be done to reach the desirable outcome intended by the regulators, with most concern being placed on monitoring the security of one’s own enterprise.

Six months on, there are clear signs that businesses are searching for ways around GDPR as their business model relies on the selling and operating of customer data.

Much to the dismay of the regulators, businesses are sending out more encrypted data back to browsers and claiming legitimate consent through the acceptance of “cookies” - a step back from the intended, clear opt-in businesses have been asked to gain and provide proof of.

GDPR has certainly been a step in the right direction, but there’s still some creases to be ironed out to ensure a smooth, GDPR complaint business world.

GDPR has certainly made organisations much more aware of the importance of securing and processing PII than before its introduction – so if its aim was to raise awareness, it has definitely done so.

Everyone still seems focused on GDPR requirements and therefore designing their systems with data protection in mind, organisations have their DPOs in place and in most organisations the awareness of GDPR goes up to board level.

There is still some level of confusion on lawful basis and legitimate interest, but this is slowly decreasing as things settle down.

We need to judge the GDPR against its aims - to protect individuals’ personal information and to give those individuals rights in relation to that information.

The number of data breaches reported to the regulator each month suggests that personal information is not getting the protection the GDPR demands. At the same time, whilst individuals may be more aware of the importance of protecting their personal information, those same individuals are not typically aware of all their rights in relation to it.

Unfortunately, the GDPR to most people still means those annoying pop ups on websites related to marketing preferences or cookies.

There is still some way to go for the GDPR to meet its aims.

The answer, I am afraid, is only partly. Many companies have been waiting to see how many Data Subject Requests they would receive before deciding how much to invest in their GDPR projects.

This is short-sighted as most fines to date have started from a data breach, so the accurate storing, deleting and protection of personal data is crucial, not only for compliance, but to a firm’s bottom line and this is not driven by the number of Data Subject Access requests.

The key question is though, why are consumers not making more requests? This is partly down to the difficult process some companies put in place to make a request and consumer awareness. In the US, there is a new regulation called CCPA (Californian Consumer Privacy Act) which requires companies to have a “Do not sell my data” button clearly marked on their website.

Having such an easy to access feature will surely drive higher usage, which is what the regulators wanted with GDPR.

Pre-GDPR consumers were unaware of how their data was being used. Now, in the age of big data and machine learning, data can be used in a multitude of ways, yet GDPR has not properly addressed the issue of ‘tacit’ consent.

Since GDPR was introduced, we’ve seen the impact other firms have had whose business models rely on acquiring consumer data at scale. We’ve watched as tech titans adjust their framework to allow users to be in control of their data, rather than businesses. But even with consumers having the power to hold companies accountable, we are still seeing the ineffectiveness of GDPR.

With companies still having over a year left to get their businesses following the new set of rules, we hope that soon we will see whether marketers and consumers have mutually benefitted from the legislation.

For now, we can still expect to see a flurry of activity, as individuals and firms argue whether or not their interpretation of GDPR requirements is the correct one.

From a cybersecurity perspective, contrary to what headlines may suggest, my experience has been that many organisations have noticeably improved their security posture or, at the very least, are paying closer attention to how they store, transmit, and process personally identifiable information.

While GDPR didn’t prescribe what good looks like or even what bad looks like, it does appear that its overarching mandate, in combination with its clarity of potential ramification has been the right recipe to wake many businesses from their cyber security slumber.

GDPR has forced a long-overdue shift towards viewing consumers as individuals, with different needs, preferences and privacy concerns.

Overall this has to be a positive signal that demonstrates that the digital advertising marketplace is growing up and taking consumer concerns seriously.

The response of websites has varied widely with some large US based publishers even deciding to ignore European audiences altogether.

The next hurdle to overcome for the digital advertising ecosystem will be the ePrivacy directive and the resulting potential for much more power to be put in the hands of the browsers.

As we have seen with Safari browser cookie restrictions this year, this could result in further significant changes in the marketplace, so it’s essential that brands and agencies are ready for that. We think that the ability to target user intent in real time will be one of the ways in which the advertising ecosystem adapts to this change.