When did GDPR become law? Key dates in the UK and EU

The General Data Protection Regulation was adopted on 14 April 2016 and became enforceable on 25 May 2018. This guide explains each date — including UK GDPR after Brexit and the Data (Use and Access) Act 2025.

The short answer most people are looking for: GDPR became enforceable across the EU, including the UK, on 25 May 2018. But that date is only one of several that matter. There are at least four that an organisation needs to know — the adoption date, the enforcement date, the post-Brexit transition, and the more recent reforms under the Data (Use and Access) Act 2025.

This guide covers each in order, with the context that explains why each one matters.

Why GDPR was created

Before GDPR, EU data protection law was based on the Data Protection Directive 95/46/EC, which the UK had implemented through the Data Protection Act 1998. The directive predated smartphones, social media, mass cloud computing, and the data-driven economy. It also produced patchy enforcement across EU member states, because each country implemented it through its own national law.

GDPR was designed to replace that fragmented system with a single, directly applicable regulation across the EU. The European Commission proposed it in 2012, the European Parliament and Council adopted it in 2016, and it became enforceable in 2018 — by which point the technologies and business models it was designed to regulate were unrecognisable from the 1995 baseline.

The DPA 1998 was repealed and replaced by the Data Protection Act 2018 on the same day GDPR became enforceable.

GDPR was adopted on 14 April 2016

The European Parliament formally adopted GDPR on 14 April 2016, after four years of negotiation. The regulation was published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016.

That "entry into force" date is sometimes given as the answer to "when did GDPR become law", but it isn't quite right. From 24 May 2016, GDPR was technically law — but it was not yet enforceable. The two-year gap between adoption and enforcement was a deliberate transition period, giving organisations across the EU time to prepare.

GDPR became enforceable on 25 May 2018

The "go live" date — the one most people mean when they ask when GDPR became law — is 25 May 2018. From that day, organisations subject to GDPR could be fined, audited, and sanctioned for non-compliance.

The same date marked another important UK change: the Data Protection Act 2018 came into effect, replacing the Data Protection Act 1998. The DPA 2018 had received Royal Assent two days earlier, on 23 May 2018. Its purpose was to supplement GDPR with UK-specific provisions — covering law enforcement processing, intelligence services, and a long list of exemptions — and to align the broader UK data protection framework with the new EU rules.

For UK organisations between May 2018 and the end of 2020, two parallel regimes applied: the EU GDPR directly, and the DPA 2018 alongside it. That arrangement ended with Brexit.

UK GDPR took effect on 1 January 2021

The UK formally left the European Union on 31 January 2020, but EU law continued to apply during a transition period that ended at 11pm on 31 December 2020. From 1 January 2021, EU GDPR stopped applying directly in the UK.

To prevent a gap in protection, the UK retained GDPR in domestic law under the European Union (Withdrawal) Act 2018. The retained version, with some technical amendments to fit a non-EU context, is known as UK GDPR. It applies to UK-based organisations and to overseas organisations targeting people in the UK.

For most practical purposes, the change between 31 December 2020 and 1 January 2021 was invisible. The principles, rights, lawful bases, and enforcement framework all carried over. What changed was the constitutional basis — the rules now sat in UK law, regulated by the ICO under UK jurisdiction, rather than in directly applicable EU law.

The European Commission confirmed an adequacy decision for the UK on 28 June 2021, allowing personal data to flow freely from the EU to the UK. That decision was renewed on 19 December 2025, extended until 27 December 2031.

The Data (Use and Access) Act 2025

The first significant change to UK GDPR since adoption came in 2025. The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, after passing both Houses of Parliament earlier that month.

The DUAA amends UK GDPR, the Data Protection Act 2018, and PECR — it does not replace any of them. Its provisions came into force in phases:

• From summer 2025 onward — some early measures took effect, including the requirement to conduct a "reasonable and proportionate" search in response to a subject access request.
• 5 February 2026 — the largest single batch of reforms came into force. This included the new lawful basis of "recognised legitimate interests", the rewrite of Article 22 on automated decision-making, new exemptions for low-risk cookies under PECR, the alignment of PECR fines with UK GDPR, and changes to the test for international data transfers.
• April 2026 — the ICO finalised its updated Storage and Access Technologies guidance, replacing the older cookies guidance.
• June 2026 — the new statutory right to complain to controllers takes effect, alongside the requirement for organisations to maintain a formal complaints procedure.

Further provisions are still rolling out through commencement regulations. The rename of the Information Commissioner's Office to the Information Commission is taking effect through the same process.

For more detail on what the DUAA actually changes, see our hub guide to UK GDPR and our UK GDPR vs EU GDPR guide.

Quick reference: the dates that matter

• 14 April 2016 — GDPR adopted by the European Parliament.
• 24 May 2016 — GDPR entered into force; two-year transition begins.
• 23 May 2018 — UK Data Protection Act 2018 receives Royal Assent.
• 25 May 2018 — GDPR becomes enforceable across the EU, including the UK. DPA 2018 takes effect.
• 31 January 2020 — UK leaves the European Union.
• 31 December 2020 — Brexit transition period ends.
• 1 January 2021 — UK GDPR takes effect.
• 28 June 2021 — EU adequacy decision for the UK.
• 19 June 2025 — Data (Use and Access) Act 2025 receives Royal Assent.
• 19 December 2025 — EU adequacy decision renewed (valid until 27 December 2031).
• 5 February 2026 — main batch of DUAA provisions in force.
• 29 April 2026 — ICO Storage and Access Technologies guidance finalised.
• June 2026 — direct right to complain to controllers takes effect.

Frequently asked questions

When did GDPR come into force?

GDPR entered into force on 24 May 2016, with a two-year transition period before it became enforceable on 25 May 2018.

When was GDPR introduced?

The European Commission proposed GDPR in January 2012. It was formally adopted on 14 April 2016 and became enforceable on 25 May 2018.

What year did GDPR start?

GDPR began applying as enforceable law in 2018. In the UK, the retained UK GDPR has been in effect since 1 January 2021.

When did the UK adopt GDPR?

The UK was an EU member state when GDPR became enforceable on 25 May 2018, so it applied directly. After Brexit, the UK retained GDPR in domestic law, and UK GDPR took effect on 1 January 2021.

When does the DUAA take effect?

The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025. Most of its substantive changes came into force on 5 February 2026, with further provisions, including the statutory complaints procedure, in force from June 2026.