GDPR enforcement timeline
Every key GDPR date — entry into force, transposition deadlines, phased provisions, and compliance milestones. 3 milestones tracked, sourced directly from EUR-Lex.
GDPR has been in force and fully enforceable since May 25, 2018 — over six years of active enforcement. There are no further phase-in periods; all organizations processing EU personal data must comply immediately with all GDPR articles.
| Entry into Force | May 25, 2018 (full enforcement) |
| Enforcement History | 2,800+ fines issued across 27 EU member states |
| Largest Fine | €1.2 billion (Meta, 2023) |
| Average Fine Amount | €18–25 million for large organizations |
| No Transitions Remaining | All GDPR articles have applied since May 2018 |
Common Questions
- Is there a phase-in period for GDPR compliance?
- No. GDPR entered into force and became fully enforceable on May 25, 2018. All articles and obligations apply immediately to all organizations processing EU personal data. There are no transition periods or deferrals remaining.
- Can small organizations get a GDPR exemption?
- No formal exemptions exist. However, GDPR provides flexibility: the controller can use a Data Protection Officer only if required (typically for public authorities or organizations whose processing is large-scale); organizations can use simplified privacy notices for small-scale processing; and penalties may be reduced for SMEs.
- What is the most commonly fined GDPR violation?
- Unlawful data transfers (transferring personal data to countries outside the EU without adequate safeguards) are the most frequently penalized, followed by violations of data subject rights (access, erasure, objection) and inadequate consent mechanisms.
- How quickly can a GDPR fine be issued?
- A DPA can issue a fine within months of receiving a complaint or opening an investigation. High-profile cases typically take 12–24 months. However, preliminary fines can be issued quickly, and subsequent administrative appeals may extend resolution to 3+ years.
- Can I appeal a GDPR fine?
- Yes. Fines can be appealed to national courts within the timeframe specified in national law (typically 30–60 days). Courts can reduce, maintain, or overturn fines. Appeals often take 2–4 years to resolve.
- What is the most effective GDPR compliance strategy?
- Document your lawful basis for every processing activity (Records of Processing Activities), implement privacy by design, obtain informed explicit consent where required, conduct Data Protection Impact Assessments for risky processing, appoint a DPO if needed, and establish a breach notification procedure that meets the 72-hour timeline.
When does GDPR take effect?
GDPR (Regulation (EU) 2016/679) has 3 key enforcement milestones. 3 milestones have already passed; 0 milestones are upcoming.
Source: Regulation (EU) 2016/679 via EuroComply EU Regulation Deadlines dataset
Total milestones
3
In force
3
Upcoming
0
GDPR — complete milestone timeline
Regulation (EU) 2016/679 · Official text
GDPR enters into full application
General Data Protection Regulation becomes fully applicable across all EU Member States, replacing Directive 95/46/EC. Controllers and processors must comply with all provisions including lawful basis, data subject rights, DPO appointment where required, and breach notification.
Applies to: all controllers and processors handling personal data of EU data subjects
Penalty: up to €20M or 4% of worldwide annual turnover
Schrems II: EU-US Privacy Shield invalidated by CJEU
The Court of Justice of the EU (Case C-311/18) invalidated the EU-US Privacy Shield adequacy decision. Organisations relying on Privacy Shield for US data transfers had to immediately adopt alternative transfer mechanisms (SCCs with TIA, BCRs, or Article 49 derogations).
Applies to: all organisations transferring personal data from EU to the United States
Penalty: up to €20M or 4% of worldwide annual turnover
EU-US Data Privacy Framework adequacy decision adopted
European Commission adopted adequacy decision for the EU-US Data Privacy Framework (DPF), replacing Privacy Shield. US organisations certified under DPF can receive EU personal data without additional transfer safeguards.
Applies to: organisations transferring personal data from EU to US-certified DPF participants
Penalty: up to €20M or 4% of worldwide annual turnover if transfers lack valid basis
Embed a countdown widget
Add a live GDPR deadline countdown to your website or intranet with a single script tag.
Browse embed widgets →Does GDPR apply to your business before the deadline?
Find out in 2 minutes with our free regulation checker.
Check scope — freeFor informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation. Dates reflect official EUR-Lex sources; verify with your national competent authority for jurisdiction-specific transposition dates.
Last updated: