Research · Legislative history

GDPR vs the old Data Protection Directive — what changed

Updated April 2026EU GDPR 2016/679Directive 95/46/EC comparison

EU GDPR replaced the Data Protection Directive 95/46/EC across all EU member states on 25 May 2018. The transition was not merely a rebranding — it fundamentally changed how data protection law operates in the EU: from a fragmented national implementation model to a single, directly applicable regulation; from compliance-by-practice to accountability-by-evidence; from modest fines to penalties capable of threatening the viability of even large organisations.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

From directive to regulation

The Data Protection Directive 95/46/EC required each EU member state to implement its principles in national law. This produced 28 different national data protection laws, each interpreting the Directive’s requirements differently. German data protection law differed from French law, which differed from Irish law. GDPR, as a directly applicable regulation, replaced all of these with a single set of rules applying uniformly across the EU. Member states retain discretion in specific areas — particularly employment data, national security, and the research exemptions — but the core obligations are uniform.

Source: Directive 95/46/EC (repealed); EU GDPR Regulation 2016/679; TFEU Article 288

Accountability — the foundational shift

The Directive required compliance with data protection principles. GDPR requires organisations to demonstrate compliance. This accountability principle, in Article 5(2), is the change that drives the entire evidence-based compliance approach. Under the Directive, an organisation could argue that it was compliant without necessarily being able to produce the documentation. Under GDPR, undocumented compliance is not demonstrable compliance — it is effectively non-compliance from a regulatory perspective.

Extended territorial scope

The Directive applied to controllers established in the EU. GDPR’s Article 3(2) extended scope to non-EU organisations that offer goods or services to EU data subjects or monitor their behaviour. This brought US technology companies, global retailers, and any organisation with EU customers within the scope of EU data protection law regardless of where they are established — a fundamental expansion with global implications.

Breach notification — a new obligation

The Directive contained no mandatory breach notification requirement (with the exception of telecoms providers under a 2009 amending directive). GDPR’s 72-hour notification obligation to the supervisory authority, and the obligation to notify affected individuals where high risk exists, was entirely new for most organisations. Building a breach response capability was the single largest new procedural burden introduced by GDPR.

The Directive’s consent standard was interpreted differently across member states — some permitted implied consent; others required explicit opt-in. GDPR harmonised consent as freely given, specific, informed, and unambiguous, with a clear opt-in standard and strict conditions for withdrawal. The EDPB’s Guidelines 05/2020 on consent further tightened the standard, particularly on cookie consent and bundled consent.

Penalties — a step change

Under the Directive, national data protection authorities had varying enforcement powers — some could issue fines in the millions; others were limited to thousands or had only corrective powers. GDPR standardised the penalty framework at €20 million/4% and €10 million/2% of worldwide annual turnover. This harmonisation, combined with the one-stop-shop mechanism, created a credible pan-EU enforcement threat that simply did not exist under the Directive.

Record this. The transition from the Directive to GDPR was not a continuation of the prior framework with cosmetic changes. The accountability principle, the breach notification obligation, and the extended territorial scope all created materially new obligations. Organisations that have not reviewed their compliance programme since before 2018 — or that assume their national Data Protection Act from before GDPR still sets the standard — are not operating under the current framework.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.