EU GDPR

GDPR (or EU GDPR): the General Data Protection Regulation (EU) (GDPR) (EU) 2016/679, EU law on data protection and privacy in the European Union, was adopted on 14 April 2016 and became enforceable on 25 May 2018. Since the GDPR is a regulation and not a directive, it had direct application in all EU member states, including (until Brexit) the United Kingdom. Following the Brexit transition period, which ended on 31 December 2020, the GDPR ceased to have direct effect in the UK. Given the UK’s commitment to maintaining an equivalent data protection regime, the provisions of the GDPR have been incorporated directly into the laws of the UK as the UK General Data Protection Regulation (the UK GDPR) by virtue of the European Union (Withdrawal) Act 2018. In practice, there is little change to the core data protection principles, rights, and obligations between the GDPR and the UK GDPR. Notably, the GDPR continues to apply to UK controllers or processors, who either: (i) continue to have an establishment in the EU or, (ii) offer goods or services to data subjects in the EU, or (iii) monitor their behaviour within the EU.