By using website you agree to our use of cookies as described in our cookie policy. Learn More

TDWI Upside - Where Data Means Business

GDPR in 2021: Key Updates and Implications for Data Strategies

In 2021, the European Commission introduced changes to the GDPR that are intended to further enhance the effectiveness of the law. This article looks at the changes and how they can affect everyday business activities.

Broadened Definition of Joint Controller

Joint controller is not a new concept in the GDPR. In fact, it has been part of the law since its inception in 2018. However, the definition for the term “joint controller” has been updated as part of the changes to the GDPR.

For Further Reading:


CEO Perspective: Data Privacy

What You Need to Know About the New Virginia Consumer Data Protection Act

A joint controller refers to a situation where two or more persons or entities are in charge of the collection and protection of customer data. These joint controllers -- data owners, really -- determine together why and how to process personal data. Joint controllers will often have a shared objective and shared purposes. They are fully and independently responsible for the correct handling of customer data. In the event of non-compliance with any GDPR provisions, both data controllers can be held responsible and face possible sanctions.

The joint controller relationship arises more commonly than many people realize, however. For example, a simple activity such as managing a company’s social media presence or displaying a social media plugin on your website makes you a joint controller with that social media network.

Removal of the Privacy Shield

The GDPR’s so-called privacy shield was intended to make it easier for data to be transferred from European companies and institutions to their U.S. counterparts. This facilitated a smoother business relationship and enabled tech companies such as Google, Yahoo, and Apple to easily share data on their customers with their U.S.-based parent corporations.

However, the relative freedom the privacy shield gave to U.S. companies to process data under U.S. legal provisions has been revoked. Instead, U.S. companies that have previously used the privacy shield mechanism have now had to adopt standard EU GDPR contractual clauses to use the customer data of European citizens. Because the U.S. and EU have traditionally had polar opposite views regarding the requirement of consent to work with personal data, this development is important because it effectively forces U.S. companies to abide by much more stringent EU privacy laws.

California’s Response to the Removal of the Privacy Shield

In the U.S., California was the first state to respond to the changes in the GDPR by implementing modifications to its own legal system. The state introduced the California Privacy Rights Act (CPRA), which gives citizens of the state more data privacy rights. Under the CPRA, for example, a citizen can opt to deny consent to sell their private data to third parties. More U.S. states are considering introducing better privacy laws and there is even pressure on the U.S. federal government to introduce legislation.

All about Cookies

In the past, there were some unclear aspects in the GDPR regarding cookies and the consent users must give for its use. In the new iteration of the GDPR, EU lawmakers have made it clear that explicit permission is required from site visitors to install cookies on their computer(s). A visitor who simply browses through a website does not imply consent, consent must be given in an undisputed and clear way for it to be valid.

The topic of “cookie walls” has also been addressed and the EU lawmakers have made their view on the topic known, “cookie walls” are designed to force users to provide their consent since without this consent (and cookies) some websites are inaccessible. Additional updates to the cookie policy and specifically cookie walls are expected to be amongst the next updates to the GDPR.

Shift Away from Third-Party Data Processing

In something not so much a change to the GDPR but an effect of the changes, IoT companies are shifting away from third-party data processors in favour of keeping things in-house. This is hardly a surprise considering the risks associated with sharing data outside of your company, especially when taking the joint controller clause and definition updates into consideration.

Implications of these Changes to Data Strategy

This set of changes was one of the biggest since the introduction of the GDPR and it has sent shockwaves through the privacy community. It seems that the EU commissions strategy to get companies to adopt the GDPR and enforce it is the threat of large financial fines in the event of non-compliance. Bearing this in mind, companies have scrambled to ensure compliance with the provisions of the GDPR.

An Overall Change in Data Strategy -- Privacy Comes First

The net result of the latest changes to the GDPR is that companies worldwide are now taking the legislation and its provisions much more seriously and view data as a strategic tool and risk that must be managed. European customers are enjoying a higher level of privacy than ever before, and it is inspiring other countries to adopt the same level of protection for their citizens.


The GDPR has been controversial since its introduction and that is not about to change. However, taking the potentially gigantic financial and reputational damages that can come from non-compliance into account, the latest updates to the act will likely have the effect of promoting compliance amongst more companies.

About the Author

Milica Vojnic is an experienced senior marketing associate at Wisetek who specializes in ensuring businesses are GDPR-compliant. Vojnic is also the author of articles outlining these topics for a variety of online publications.

TDWI Membership

Accelerate Your Projects,
and Your Career

TDWI Members have access to exclusive research reports, publications, communities and training.

Individual, Student, and Team memberships available.