For many outside the data privacy and IT governance, risk management and compliance sectors, the GDPR (General Data Protection Regulation) seemed to appear five years ago as if from nowhere.
It had barely made the news before May 2018, but in the weeks running up to its effective date of 25 May 2018 it gained the sort of media coverage and popular interest that most aspirant celebrities can only yearn for.
(Indeed, the European Commission proudly shared in a since-deleted infographic that ‘GDPR’ was googled more often than Beyoncé or Kim Kardashian.)
The Regulation’s time in the media spotlight didn’t seem to last long, and Google Trends showed that searches for ‘GDPR’ soon dropped off.
However, this is not to condemn it to irrelevance – after all, the public consciousness is far from the best measure by which to judge anything’s effectiveness.
Now the GDPR has reached its fifth anniversary, we reflect on the evolution of data protection law in the UK and the EEA.
A brief history of the GDPR
The EU has two major types of legislative act: directives and regulations. Regulations apply directly across the EU with all the force of a domestic law, and directives set out agreed goals that member states must achieve via their own laws.
The GDPR’s predecessor, the 1995 DPD (Data Protection Directive), therefore resulted in a patchwork of data protection laws across the EU whose requirements varied considerably.
In the UK – then still a member of the EU – the Data Protection Act 1998 enacted the DPD’s eight data protection principles and set a maximum fine of £500,000 for violations.
In technological terms, 1998 – although only 25 years ago – might as well have been another century.
Mobile phones and computers were yet to saturate the market, the Internet was still in its relative infancy and powered by slow dial-up connectivity, and big tech companies such as Google were yet to consider commodifying the vast amounts of personal data they were collecting, let alone work out how to do it.
Only a few years later, though, everything was different.
Legislators have traditionally struggled to keep up with the rate of technological development, but as the trend for big data processing took off, it became clear that the legislative and regulatory burden had to increase accordingly.
The data protection law that was relevant to the late nineties – although designed to be broad enough to apply to emerging technologies – was inadequate when it came helping individuals maintain their privacy in the face of increasingly invasive scrutiny.
Regulation (EU) 2016/679 – to give the GDPR its proper title – was proposed by the European Commission in January 2012, adopted by the European Parliament in April 2016 and published in the Official Journal of the European Union on 4 May 2016.
It entered into force on 24 May 2016.
Following a two-year transition period, it has applied to the processing of EU residents’ personal data since 25 May 2018, superseding the DPD 1995 and all EU member state law based upon it, including the UK’s DPA 1998.
A new UK Data Protection Act took effect at the same time as the GDPR, filling in sections of the Regulation that were left to individual member states to interpret and implement.
It also applied the GDPR’s provisions to certain areas that fell outside the Regulation’s scope, such as law enforcement processing and intelligence services processing in the UK.
Combined, the GDPR and DPA 2018 granted greater data privacy rights to individuals and placed considerably tougher obligations on organisations – all backed up by a system of fines and other regulatory penalties that far exceeded the regime enforced by the DPA 1998.
Following the Brexit transition period, the UK GDPR superseded the EU regulation in the UK on 30 December 2020. However, the EU GDPR continued – and continues – to apply to organisations in the UK that provide goods and services to, or monitor the behaviour of, EU residents.
Many organisations in the UK must therefore comply with both the UK GDPR and EU GDPR. As the two regulations are for the most part identical, this makes complying with both regimes relatively straightforward, albeit with certain extra measures to cover international data transfers.
Brexit and UK data protection reform
Since Brexit, successive Conservative governments have sought to reform data protection law in the UK. The latest Bill to pass through parliament is the Data Protection and Digital Information (No.2) Bill – known as the DPDI Bill.
The DSIT (Department for Science, Innovation and Technology) says the DPDI Bill will:
- “Introduce a simple, clear and business-friendly framework that will not be difficult or costly to implement – taking the best elements of GDPR and providing businesses with more flexibility about how they comply with the new data laws.
- “Ensure our new regime maintains data adequacy with the EU, and wider international confidence in the UK’s comprehensive data protection standards.
- “Further reduce the amount of paperwork organisations need to complete to demonstrate compliance.
- “Support even more international trade without creating extra costs for businesses if they’re already compliant with current data regulation.
- “Provide organisations with greater confidence about when they can process personal data without consent; and
- “Increase public and business confidence in AI technologies by clarifying the circumstances when robust safeguards apply to automated decision-making.”
The Bill has had its second reading in the Commons and, at the time of writing, is currently at committee stage.
The Information Commissioner, John Edwards, commented after giving evidence to the committee scrutinising the Bill:
I was really pleased to be able to support the Bill and that’s because we’ve been able to shape it. I’ve worked with ministers and with officials over the last 18 months to really ensure that we get legislation that preserves the rights of people of the UK while also minimising the burdens on business. We’re going to continue to offer our advice and submissions on the technical drafting, but it’s a really significant step today.
Reflect – review – refresh
Whatever form UK data protection law ends up taking – and whether your organisation also needs to demonstrate its compliance with the EU version of the Regulation – it is important to remember that GDPR compliance is an ongoing process.
To ensure you continue to meet your data processing obligations, you need to regularly reflect on the requirements that affect your organisation, review your data processing activities and then refresh your compliance programme accordingly.
IT Governance has been at the forefront of GDPR compliance solutions since before the Regulation took effect. Since then:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need – whatever your resources or expertise.
