Skip to content

General Data Protection Regulation (GDPR) Enacted

27 April 2016 to 25 May 2018.Cybersecurity.Regulation enacted.Date precision, exact.Evidence grade, primary.1 primary source

Drivers:

Regulatory requirementSecurity incidentUser demand

Major data breaches eroded public trust. Digital economy required updated legal framework. Citizens demanded control over personal data. EU sought to harmonise data protection across member states.

GDPR is a European law that gives people control over their personal data. It means companies must ask permission before collecting your data, tell you if they are hacked, and delete your data if you ask. Companies that break the rules can be fined huge amounts, which is why every website now asks about cookies.

General Data Protection Regulation (GDPR) Enacted event plate

Structured atlas record showing date, domain, evidence grade, source count, and predecessor and successor links.

Event plate: General Data Protection Regulation (GDPR) Enacted Convergence-divergence layout. The central hero card carries the event year, type, title, evidence grade, domain and era band. 0 predecessor cards on the left feed in with red arrows labelled "absorbs". 0 successor cards on the right derive with red arrows labelled "spawns". Key terms below the hero pin the vocabulary the event introduced. EVENT PLATE Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj 2016 - REGULATION ENACTED General Data ProtectionRegulation (GDPR) Enacted primary evidence Domain: AI and machine learning Era band: E6 AI-scale systems KEY TERMS - VOCABULARY THE EVENT INTRODUCED GDPR data protection privacy consent Convergence-divergence: predecessors absorbed, successors spawned Hero card carries year, evidence and domain. 0 predecessors flow in from the left; 0 successors flow out to the right. Key termsbelow pin the vocabulary the event introduced.

Forecasts and counterfactuals stay labelled as opinion in the event data. Source: Computer History Museum.

Before

The 1995 Data Protection Directive was outdated for the digital age. Data protection laws varied across EU member states. Large-scale data breaches were common with limited consequences. Individuals had little control over their personal data held by organisations.

What changed

GDPR established comprehensive data protection rights for EU residents with significant enforcement powers. It introduced requirements for consent, breach notification, data protection officers, and data subject rights. Penalties up to 4% of global revenue transformed corporate attention to privacy.

How it happened

After four years of negotiation, GDPR was adopted on 27 April 2016 with a two-year implementation period. It became enforceable on 25 May 2018. The regulation applied directly across all EU member states without requiring national implementation. Its extraterritorial scope affected organisations worldwide.

Outcomes

  • Established global benchmark for privacy regulation
  • Empowered individuals with data rights
  • Forced corporate investment in data governance
  • Influenced privacy laws worldwide (CCPA, LGPD, etc.)

Limitations

  • Enforcement varies across member states
  • Compliance burden on small organisations
  • Some provisions remain untested in courts
  • Cookie consent fatigue undermines user experience

Lessons learnt

  • Significant penalties drive corporate behaviour
  • Privacy regulation can be extraterritorial
  • Clear individual rights empower citizens
  • Implementation requires ongoing interpretation

Stakeholders and artefacts

Organisations

  • European ParliamentgovernmentAdopted regulation
  • European CouncilgovernmentAdopted regulation
  • European CommissiongovernmentProposed regulation

Individuals

  • Viviane RedingCommissioner, European CommissionInitiated GDPR as Justice Commissioner
  • Jan Philipp AlbrechtRapporteur, European ParliamentLed parliamentary negotiation of GDPR

Artefacts

  • GDPRspecificationEU data protection regulation
  • Data Subject RightsspecificationRights including access, rectification, erasure, portability
  • Data Protection OfficermethodologyRequired role for certain organisations

Key terms

GDPRdata protectionprivacyconsentbreach notificationDPOdata subject rights

On this course

Read in the path Cybersecurity: Threats and Defences.

Sources

1"Regulation (EU) 2016/679 (General Data Protection Regulation)". European Parliament and Council, 2016-04-27.authoritativeeur-lex.europa.eu/eli/reg/2016/679/oj