A very brief history of the GDPR

The General Data Protection Regulation started life in the EU as the Data Protection Directive. A quick note about the difference between a directive and a regulation before we carry on; where a regulation is a law created by the EU and enforced upon all member countries, a directive is more of a goal set by the EU which each country must try to achieve by bringing in their own laws and regulations - this difference will become important in a moment.

The Data Protection Directive came into effect back in 1995, when the internet was still in its infancy and nobody had any real idea just how much it would come to dominate our everyday lives. Since each member country was allowed to set-up its own data protection laws, because it was a Directive and not a Regulation, this created a lot of problems when sharing data across borders became much more commonplace. Trying to keep track of different countries’ data laws led to headaches, wasted time, and high administrative costs. There was also no way of guaranteeing the safety of data transferred outside of the EU. As a result, the GDPR was born. It would harmonise data protection laws across the entire EU, safeguard data being transferred abroad, and provide individuals with more control over their personal data. Importantly, it would also be technology-neutral, meaning that no matter what developments took place in the future, personal data would be kept safe.

In May 2018, the EU GDPR came into effect. At the same time the UK also introduced a new Data Protection Act. This sat alongside the GDPR and set out certain provisions which the GDPR allowed countries to decide for themselves. For example, the age at which a child can give consent for their data to be processed or matters concerning national defense and immigration.

What is the difference between the UK GDPR and EU GDPR?

On the 31st January 2020, the UK enacted the Withdrawal Agreement which, among other things, signalled the UK's exit from the EU and entry into a transition period. During the transition period, all EU laws, including the GDPR, continued to apply. However, to avoid any problems at the end of the transition period, the Agreement also introduced the UK GDPR into law. The UK GDPR is a combination of the EU GDPR and the Data Protection Act with a few tweaks to make it relevant to the UK. During the transition period, both the EU and UK GDPR were in effect in the UK until the end of the transition when just the UK GDPR remained.

Today, both GDPRs are in effect in their own areas; the EU GDPR across the European Union and the European Economic Area and the UK GDPR in the UK.