The GDPR was created to regulate how businesses use data, ensuring it’s the same across the entire EU. Although it will apply to smaller businesses as well as large corporations, recent stories, such as the Cambridge Analytica scandal, have demonstrated how big organisations such as Amazon, Google, Twitter and Facebook are not strictly complying to a single set of rules.

The Data Protection Act 1998, the UK’s interpretation of the EU’s Data Protection Directive 1995, wasn’t envisaged with contemporary uses of data enabled by the internet and cloud, with people exchanging their personal data for use of ‘free’ services provided by the likes of Google, Twitter and Facebook, and GDPR aims to rectify this.

The second driver is the EU’s desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually. It should make complying less onerous for businesses, with them only required to meet one set of rules, compared to dozens of different implementations of the EU’s Data Protection Directive 1995.