“It’s important to remember that the GDPR recognized the right to data portability. However, in practice, it has been one of the most underutilized rights, not due to a lack of interest from users, but because the Regulation itself left the underlying technical problem unresolved: in what format exactly? with what standards? through which interfaces? Now, since the Data Protection Act came into force in September 2025, portability has become a design obligation for companies offering digital services, as it requires that access to and transmission of personal data to other companies be technically feasible,” he says.
Not forgetting a topic that is both “very Spanish and very European,” as García del Poyo defines it, which is the proportionality in the requirements of the rule.
“If the European digital regulatory framework becomes increasingly dense, overlaps with new rules, and we fail to simplify some of the imposed obligations — for example, those that can be classified as low-risk or specifically aimed at SMEs — we risk compliance becoming a luxury for large organizations rather than an effective standard of protection for citizens,” he explains. “I believe that the success of the European digital economic model — whose data protection foundations were established in the GDPR 10 years ago — will be measured both by the effectiveness of protecting rights and by its ability to create a secure and favorable environment for business development.”
Looking to the future
Challenges, risks, the need for evolution — we are about to experience some exciting years ahead. But how? What can we expect in terms of data protection? Because the technological challenges are real, and the GDPR will have to adapt to the new reality.
“The first thing we have to keep in mind is that we have already moved from data management to data governance, and that this is done within a framework of compliance with fundamental rights,” Recio says.
According to Recio, it is necessary to strengthen the role of data protection professionals, which he describes as “essential” and which “must be valued and promoted by companies if they want to achieve compliance that minimizes the risk of sanctions.”
“And thirdly,” Recio adds, “the need to adapt the GDPR to technological evolution itself, thus preventing situations of uncertainty from arising or potentially arising. The key is the principles that can be applied to new scenarios and technological developments.”
