The European Union’s data protection legislation raised the bar for how organisations manage personal data. For companies, however, especially small businesses, complying with the rules has been anything but easy. Yelena Smirnova and Victoriano Travieso-Morales explain the hidden complexity of GDPR, seven years after its launch.
Since coming into force on 25 May 2018, the General Data Protection Regulation (GDPR) has profoundly changed how personal data is handled across Europe. Prior to GDPR, data protection laws varied significantly between EU member states. Most were based on the 1995 Data Protection Directive, which offered general principles but left much to national interpretation. As a result, enforcement was uneven, and many organisations collected and used personal data with little transparency, minimal user consent and inadequate security measures. Individuals had limited awareness of how their data was being used, and in many cases, there was no real way to access or delete it.
GDPR was introduced to fix that. It created a single, harmonised legal framework across the EU, raising the bar for how organisations manage personal data. It requires companies to obtain explicit and informed consent, explain why and how they process data, and take greater responsibility for keeping it secure. Data subjects now have the right to access, correct, transfer and request the deletion of their data.
The goal of the new regulation was to bring privacy laws into the digital age and give people more control over their information. And while that vision has been widely welcomed, the path to compliance hasn’t been easy, especially for small and medium-sized enterprises (SMEs). For many, GDPR has felt less like a roadmap and more like a maze: full of complex rules, legal uncertainty, and costly technical demands.
Why compliance is difficult
In our research, we analysed 16 academic studies that explore the challenges businesses face when trying to comply with the GDPR. Our findings disclose a far more complex reality than the simplistic explanation of merely “not knowing the law”, revealing a wide range of challenges that still need to be addressed.
Four dimensions
Our analysis identifies four main types of challenges that businesses face in implementing the GDPR: technical, legal, organisational, and regulatory.
Figure 1. Four key GDPR compliance challenges
Technical challenges
They often stem from outdated systems, complex IT infrastructures, and the rapid adoption of new technologies like blockchain and the Internet of Things (IoT). Although these innovations are transformative, they were not built with GDPR in mind.
Take blockchain, for example. Its strength lies in its immutability, but that same feature directly contradicts the GDPR’s “right to be forgotten.” Once personal data is recorded on a blockchain, deleting it becomes virtually impossible. IoT devices present a different kind of problem: they often collect personal data passively, without providing users with a straightforward way to access or manage that data. As a result, even well-established companies may struggle to meet GDPR requirements such as obtaining user consent and ensuring data portability.
Legal challenges
Legal challenges arise from the regulation’s often vague or ambiguous language, which leaves room for multiple interpretations and creates uncertainty about what exactly is required.
For instance, terms like “legitimate interest” or “undue effort” are broad and lack precise legal definitions. A company might think it can rely on legitimate interest in sending marketing emails, only to find that regulators or customers disagree, which may potentially result in complaints or fines. Similarly, the regulation requires businesses to respond to data access or deletion requests “without undue delay,” but what counts as “undue”? Having no clear answers, many companies, especially those without in-house legal expertise, turn to external legal advice, which can be expensive and still leave them unsure, especially when GDPR needs to be aligned with other regulations, such as national labour laws or freedom of expression rights.
Organisational challenges
Organisational challenges refer to the internal difficulties and day-to-day struggles companies face when trying to comply with the GDPR. It’s not just about legal checklists. It’s about rethinking how the entire organisation handles data. That means dealing with a lack of internal expertise, working within tight budgets, adapting existing processes, ensuring good governance and making sure third-party vendors are also up to standard. For many companies, especially smaller ones, this kind of change affects almost every part of the business, and such transformation is never easy.
Imagine a mid-sized retailer that receives a request from a customer to delete their data. Responding within the legally required 30 days might sound simple, but in practice, it can be challenging. It could mean reworking internal workflows, investing in new software, and training customer service teams – all while continuing to serve customers and manage day-to-day operations. Many businesses, especially SMEs, don’t have dedicated data protection officers or compliance staff, which makes it even harder to stay on top of these demands.
Regulatory challenges
Regulatory challenges come from the complexity of the GDPR itself and the lack of accessible support for those attempting to comply with it. While large corporations can afford consultancy services or have dedicated compliance teams, many SMEs report feeling isolated and abandoned when trying to interpret and implement the regulation on their own.
A small e-commerce business, for example, might receive a warning from a national data protection authority for how it handles cookie consent. But when it looks for help, it may find that the available guidance is outdated, overly technical, or too general to apply to its specific case. In the early years of the GDPR, guidance often came late or was inconsistent between countries, leaving businesses confused and frustrated. And while the situation has improved somewhat, many SMEs still feel overwhelmed and unsupported.
What research tells us
Most existing academic research focuses on exploring GDPR challenges in SMEs and technology-driven sectors such as IT, fintech, and software development. In contrast, the experiences of larger companies, particularly in non-tech industries, such as manufacturing, retail, logistics or leisure, are still largely underrepresented in academic literature. This is a significant research gap, considering that the compliance journey for larger companies is likely quite different – often more complex but also supported by greater resources than that of smaller firms.
Another key issue is the nature of the research itself. Much of the current literature is conceptual, emphasising frameworks, models, or ideal compliance strategies rather than being grounded in real-world evidence. As a result, we still know relatively little about the practical, long-term impact of GDPR compliance on businesses. Critical questions remain unanswered:
- Does GDPR compliance promote or hinder organisational innovation?
- What impact does it have on profitability, productivity, or operational efficiency?
- How does the implementation process differ across sectors, company sizes, or national contexts?
What needs to change
For businesses, it is essential to treat GDPR compliance not merely as a box-ticking exercise. It needs to be treated as a strategic priority embedded into the organisation’s daily operations. This includes investing in staff training to build internal competence, adjusting workflows and digital infrastructures to ensure data protection by design, and embedding GDPR compliance into broader governance and risk management strategies. Such an approach is especially important for organisations transitioning from legacy systems or operating in low-tech industries where data protection practices may be underdeveloped or simply overlooked.
For policymakers, the message is clear: simplification and accessibility matter. As the research shows, many businesses, particularly SMEs, are overwhelmed by the legal jargon, technical complexity of the regulation and uncertainty around its interpretation. Public institutions and regulators can help alleviate this burden by focusing their efforts on creating clearer, sector-specific guidance and designing practical training programs tailored to the needs of small businesses. They can also offer more proactive support from data protection authorities, such as case-based advisory services.
For researchers, the field remains wide open and full of potential. As we argue in our article, future research should focus more on empirical, longitudinal studies that track GDPR implementation over time, comparative case studies across industries and countries, and interdisciplinary research that integrates legal perspectives with information systems, organisational behaviour, and business management.
Final thoughts
GDPR compliance is not just a legal formality; it is a company-wide transformation in different areas that involves changes in technology, organisational culture, legal practices, and strategic decision-making. If we’re serious about building a privacy-conscious digital economy, we need to make data protection more understandable, practical and attainable for every kind of business.
Sign up for our weekly newsletter here.
- This blog post is based on Understanding challenges of GDPR implementation in business enterprises: a systematic literature review, International Journal of Law and Management.
- The post represents the views of its author(s), not the position of LSE Business Review or the London School of Economics and Political Science.
- Featured image provided by Shutterstock
- When you leave a comment, you’re agreeing to our Comment Policy.
