The introduction of the General Data Protection Regulation (EU) 2016/679 (the GDPR) in May 2018 was a dramatic step forward in empowering data protection authorities (DPAs) across the EU to tame the “wild west” of the new digital economy and safeguard data rights. Post-Brexit, the UK has (so far) maintained this data protection enforcement framework through the retention of the GDPR in UK domestic law (as the “UK GDPR”).

The GDPR’s immediate impact was perhaps felt most in compliance programmes but, over three years in, clearer enforcement (and litigation) trends are emerging. This article considers three such trends: