What is the GDPR?
The GDPR (General Data Protection Regulation (Regulation (EU) 2016/679)) is an EU data protection law. It supersedes the EU’s 1995 Data Protection Data Directive and all member state laws based on it, including the UK’s Data Protection Act 1998.
As a regulation, it applies across the EU with the same authority as if it were a member state law.
Find out more about GDPR compliance
What is the difference between EU regulations and directives?
The EU has two types of legal instrument: directives and regulations.
- Directives set minimum standards and parameters for the EU, but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put it into force, whether by national law or regulation, or another initiative.
- Regulations are legally binding across the EU from the date they come into effect, and do not need to be transposed into national laws.
Find out more about GDPR compliance
Where can I find the full text of the GDPR?
The full text of the Regulation is available in the Official Journal of the European Union.
This page provides links to each article of the GDPR, so you can easily find what you are looking for.
When did the GDPR take effect?
EU regulations enter into force when they are passed by the European Parliament (if it sets a date) or 20 days after they are published in the Official Journal of the European Union (if it doesn’t).
The GDPR was passed by the European Parliament on 27 April 2016. It was published in the Official Journal on 4 May 2016, entered into force 20 days later on 24 May 2016 and, after a two-year transition period, came into effect on 25 May 2018.
Find out more about GDPR compliance
How does the GDPR relate to the DPA 2018 (Data Protection Act 2018)?
The DPA 2018 supplements the GDPR. It fills in sections of the Regulation that are left to member states’ interpretation and implementation, and clarifies some provisions.
The DPA 2018 also applies “a broadly equivalent regime” – known as “the applied GDPR” – to certain types of processing that fall outside the GDPR’s scope, including by public authorities and sets out data processing regimes for law enforcement and intelligence purposes.
The DPA 2018 and the GDPR should therefore be read together.
Find out more about the DPA 2018
How will Brexit affect the GDPR?
When the UK leaves the EU, the EU GDPR will no longer directly apply. However, its requirements will still be part of UK law.
The UK Data Protection Act 2018, which replicates the GDPR’s requirements for areas outside the Regulation’s scope (the “applied GDPR”) will also continue to apply.
Find out what will happen to data protection law in the UK after Brexit