6 years of the GDPR

Reflect – Review – Refresh

The GDPR (General Data Protection Regulation) and UK DPA (Data Protection Act) 2018 took effect on 25 May 2018, updating the UK’s data protection regime for the first time in more than 20 years.*

Six years later, following a global pandemic, a shift to remote and hybrid working, and the widespread adoption of generative AI, data processors and controllers should reflect on their data protection obligations, review their data processing activities and refresh their compliance programmes.

After all, GDPR compliance is an ongoing process that should adapt and grow alongside your business.

Free PDF download: General Data Protection Regulation (GDPR) – A compliance guide for the UK

Download this free green paper to understand the core elements of the GDPR, including:

  • How the GDPR is enforced in the UK, and which organisations must comply;
  • The benefits of achieving compliance;
  • The Regulation’s fundamental principles and rights;
  • How to lawfully transfer personal data internationally; and
  • Tips on how to write your privacy notice.

Download now

Biggest GDPR fine to date

The biggest EU GDPR fine to date is €1.2 billion (about £1.04 billion), issued to Meta by Ireland’s Data Protection Commission in May 2023. Meta intends to appeal the ruling.

The EU GDPR has applied to the processing of EU residents’ personal data since 25 May 2018.

A new UK Data Protection Act took effect at the same time as the GDPR. It fills in sections of the Regulation that were left to individual member states to interpret and implement, and applies the GDPR’s provisions to certain areas that fell outside the Regulation’s scope, such as law enforcement processing and intelligence services processing.

Combined, the two laws granted greater data privacy rights to individuals and placed tougher obligations on organisations – all backed up by a system of fines and other regulatory penalties.

The UK GDPR superseded the EU Regulation in the UK on 31 December 2020, following the Brexit transition period.

UK organisations that process personal data must therefore comply with:

  • The DPA 2018 and UK GDPR if they process only domestic personal data; or
  • The DPA 2018 and UK GDPR, and the EU GDPR if they process the personal data of UK residents and offers goods and services to, or monitor the behaviour of, EU residents.

Learn more about the UK GDPR and DPA 2018

Learn more about the EU GDPR

Learn more about the difference between the EU GDPR and the UK GDPR/DPA 2018

Other GDPR compliance products and services

IT Governance has been at the forefront of GDPR compliance solutions since before the Regulation took effect. Since then:

  • More than 4,000 people have taken our GDPR training courses;
  • We’ve delivered GDPR staff awareness training to more than 78,000 people;
  • We’ve provided GDPR consultancy to more than 750 organisations; and
  • Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.

If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need – whatever your resources or expertise.

View all our GDPR and data privacy services

Free infographic: 5 Years of the GDPR

Free Infographic: 5 years of the GDPR

25 May 2023 marked the fifth anniversary of the GDPR. What has happened in that time?

Download our free infographic to see:

  • The Regulation’s timeline;
  • Its key provisions; and
  • Noteworthy fines issued in the past five years.

Download now

* A UK version of the GDPR replaced the EU Regulation in the UK at the end of the Brexit transition period on 31 December 2020. There is relatively little difference between the two laws. However, for the sake of clarity, we refer to “the GDPR” to mean those requirements common to both the UK and EU versions of the Regulation. Where the two laws differ, we use the regional prefixes.

**The GDPR Gap Analysis service is provided by DQM GRC. Data Protection Officer (DPO) as a Service, the GDPR Advice Service, GDPR Contract and Legal Services, GDPR UK Representatives, and Data Subject Access Request as a Service are all provided by GRCI Law. The GDPR EU Representative service is fulfilled by IT Governance Europe. DQM GRC, GRCI Law, IT Governance Europe and IT Governance Ltd are all part of GRC International Group. For a more efficient customer experience, you will be redirected to the relevant website.

This website uses cookies. View our cookie policy
SAVE 10%