GDPR timeline 2016


At present, personal data processed in the European Union is governed by the 1995 European Directive (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive). The Directive establishes a number of key legal principles: 

  • Fair and lawful processing 
  • Purpose limitation and specification 
  • Minimal storage term 
  • Transparency 
  • Data quality 
  • Security 
  • Special categories of data 
  • Data minimisation 

These principles have been implemented in each of the 28 European Union Member States through national data protection law. Although all originating from the same core Directive, there is significant variation among Member State’s substantive and procedural data protection laws. 

For an overview of the national data protection rules, please refer to our Data Protection Handbook.


After almost four years of often fractious negotiations, GDPR was published in the Official Journal of the European Union as Regulation 2016/679 on 27 April 2016. 

There will be a two year transition period to allow organisations and governments to adjust to the new requirements and procedures. Following the end of this transitional period, the Regulation will be directly applicable throughout the EU from 25 May 2018, without requiring implementation by the EU Member States through national law.

The goal of European legislators was to harmonise the current legal framework, which is fragmented across Member States. A 'Regulation' (unlike a Directive) is directly applicable and has consistent effect in all Member States, and GDPR was intended to increase legal certainty, reduce the administrative burden and cost of compliance for organisations that are active in multiple EU Member States, and enhance consumer confidence in the single digital marketplace. However, in order to reach political agreement on the final text there are more than 30 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws. There continues to be room for different interpretation and enforcement practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and procedural data protection laws and enforcement practice among EU Member States when GDPR comes into force.

We have summarised the key changes that will be introduced by the GDPR in the following sections. 

> Key changes