[gerdesj]

It was enacted at the EU (err: thingie) level in 2016 and required that all EU member states enact local legislation within two years, deadline 25 May 2018.

The EU is pretty complicated. Oh and by the way, the UK will 99.99999% maintain GDPR related statutes on the books, post Brexit. Either that or we are madder than I thought.

[M2Ys4U]

GDPR is a Regulation (the clue is in the name), not a Directive and doesn't require member states to transpose it in to domestic law.

[gerdesj]

Who mentioned Directive?

[Hamuko]

You did, because what you described is a directive. GDPR is not a directive. It does not require EU member states to do anything. Only country that needs to do something is the UK, since they're leaving the EU and want to convince the other member states that they're not naughty and they want to play in the same digital ballpark as the rest.

[gerdesj]

OK, silly me: https://www.eugdpr.org/gdpr-faqs.html