Anniversary of the GDPR 2022

Happy 4th Birthday GDPR!

To celebrate 4 years since the GDPR came into effect, we’ve decided to release the first instalment of a blog series, informed by our very own Nigel Gooding’s dissertation, discussing whether or not the English and Welsh courts have diluted the legal right to access personal data. Funnily enough, our first instalment investigates the historical context and political climate which lead to GDPR and subsequent Data Protection Acts.

The prioritisation, development and implementation of the right to access (Article 15 of GDPR) by the English and Welsh courts, does not only reveal institutional attitudes towards our personal data, but towards the protection of our human rights. This is the first instalment of our blog series which discusses whether or not the aforementioned courts diluted the legal right to access data, informed by the dissertation of our very own founder Nigel Gooding. 

Comprehension of the historical and statutory journey that brought us the contemporary legislation covering Right of Access, is an important step informing our judgement of English and Welsh court intention for three reasons; 

  1.  It develops a chronological footpath of the development of the Right over time, allowing for analysis and examination of the Courts and lawmakers. 
  2.  It tracks developments in technology since 1984.
  3.  It can lend weighted evidence to the development of social influences such as the perceived rights of privacy. 

Now that we’ve covered why it’s important to consider the historical context of GDPR’s storied evolution, shall we delve a little deeper? 

The GDPR Background

At midnight on the 25th of May 2018, the GDPR became law across the 28 Countries of the European Union (the EU).  At the same time the UK Data Protection Act 2018 had received royal assent. The 2018 Act acknowledged GDPR in Part 1 and made additions to the data protection regime in part 2.  This was the third UK Data Protection Act since 1984 to include the right to access personal data into UK law.

The right of access under Article 15 only applies to personal data.  This has always been the case, indeed the first test of any Data Controller or Court is to assess the request and its validity relating to personal data. 

GDPR through Article 2 (1) encompasses personal data that is processed through electronic and manual filing systems.  Whilst this comprehensive definition may seem obvious to the casual observer, in 1984 when introducing the Data Protection bill to parliament the Home Secretary Leon Brittan declared, ‘It does not apply to those who keep personal information only in manual form — in old-fashioned paper records’. 

When a right is not actually a ‘Right’ 

In the UK, the right of access has been restricted through statute since its inception in 1984.  Successive lawmakers have been consistent in articulating that the right of access is not an absolute right, and a balance between the Data Subjects’ rights and the burden on controllers needs to be made.  Matt Hancock is the latest in a line of sponsoring ministers who gave the report evidence that their intention is a balance between statutory obligations.  This provided clarity in the analysis as it showed a consistent legislative intention on which to base the assessment of the project question. 

Humble Beginnings 

Prior to the 1981 Act there had been several attempts to introduce the general right to privacy and the right to access. The first attempt was introduced by Jim Callaghan, a Labour home secretary in 1970, who initiated the Younger Committee to review privacy. Efforts to consolidate data etiquette at this time was largely disregarded under Conservative leadership, however three years later a new Labour government (under the guidance of data protection’s original white knight Callaghan) established the Lindop Committee in 1978.  

Contemporary Observers of the Lindrop report claimed that; ‘that the DPA should be given the task of striking the right balance between the interests of the Data Subject, user and community at large’.  The Lindop report did not give, as Durbin states ‘that subjects should have an absolute right to inspect data about themselves’  but reflected on the view of the committee that discussed the right to access, and how it was a means to an end, rather than as ends in themselves. 

In January 1981 The European Council opened the Convention for the Protection of Individuals concerning the Automatic processing; the memorably named ‘Convention 108.  Convention 108 developed (in Article 5) a set of core principles for data undergoing automatic processing which bear resemblance to the current set of principles outlined in Article 5 of GDPR.  The driver for the Convention was the increased use of technology in processing personal data and the Council of Europe’s recommendation 509.  It recognised the need to protect personal data, alongside the rights and freedoms enshrined within Article 8 of the European Convention of Human Rights. 

In Article 9 (1)(b) the right of access was firmly established within the convention:

“Every individual shall have a right: to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;”

The right of access, when read in a literal context is absolute. At first glance, when set aside the current Article 15 GDPR rights, they look broadly similar.  The concept of the right of access was established, the UK became signatories on the 14th May 1981 and as Philip Coppel notes ‘By signing Convention 108, the United Kingdom had signified its willingness to enact data protection legislation’.    The development of legislation took three years to enact, the 1984 Act received Royal Assent in July 1984.  The Data Protection Act 1984, section 21 (1) now enshrined the right of access into law.  

Analysis of  UK Government intention with the 1984 Act

Delayed enactment of the 1984 Act were caused, not only by time constraints (earlier legislation was attempted as the 1983 General Election was approaching), but as A.C.M. Nutger believes, because the subject matter was innately too complex; ‘It appears from the debates that this was due in great part to the complexity of the subject. Members of both Houses were regularly perplexed by the technical subject matter of the Bill and the complexity of its structure.’  Indeed, the sponsoring minister shared the same concerns at the opening of the debate for the second reading of the bill:

We do not have to be experts in computer technology, or fluent in the jargon of mainframes and minis and micros and optical character readers, to understand the implications of the Bill for the protection of the individual and the enhancement of his rights. I hope, therefore, that hon. Members will not allow the apparently technical nature of the subject matter to obscure the importance of the Bill as a protection both for individuals and for the business community.

We can logically conclude that if parliamentarians struggled with the ‘technical’ nature of the bill then the legislation drafted is likely to have a minimal effect. This technical challenge is not restricted to the 1984 Act as parliamentarians brought forward similar concerns about their understanding of the 1998 Act. The role of the legislators is to provide scrutiny to enable the bill to pass into law with a clear understanding of the intention of the obligations the law sets on Data Controllers.  A valid argument is that if parliamentarians could not grapple with the complexity of legislation in front of them, then how likely is it that Judges would have the same issue?  We will return to this issue later in the next instalment of this blog series, when we utilise the ‘Durant’ case study to argue that the lack of clarity in areas of the 1998 Act (because of failure of parliamentary challenge) left judges with a vacuum to fill with judicial licence. 

Interestingly, the 1984 Act never once mentions the word ‘privacy’ which was first and foremost at the heart of Article 1 of Convention 108 in 1981. The 1984 Act also contained other points of relevance for the analysis of the development of the current right of access.  Data was defined as ‘information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose, excluding  manual/paper data from the act.  The report found that the 1984 Act’s right of access was not absolute in the minds of the law makers.  The law in part 4 of the 1984 Act contained numerous exemptions to the right of access ranging from National Security to Examinations,  thus the Act supported the notion of the right of access as a balance between Data Controllers, Data Subjects, and the state. We can therefore conclude that the 1984 Act was a balancing act for the UK government, with numerous (potentially competing) intentions to placate.

Want to learn more about GDPR? Have a look through our FAQs here.

Here at DPAS, we can offer a UK-GDPR representative at a very competitive rate. Get in touch to find out more about how we can help you.

related posts

Jack Penaligon

How to Respond to a Data Breach: A Practical Guide

This blog provides an overview of the practical steps organisations can take to reduce the impact of a data breach once it has been identified. It focuses on the actions that should be taken during the early stages of an incident to contain the breach, protect affected individuals, and meet regulatory requirements.

The article discusses a range of mitigation measures, including contacting unintended recipients of personal data, securing the deletion or recovery of exposed information, isolating compromised systems, and maintaining clear records of actions taken. It also explores the challenges posed by both digital and physical data breaches, highlighting the importance of balancing operational needs with data protection obligations.

Finally, the blog emphasises the value of preparation, explaining how established procedures, communication templates, and predefined response plans can help organisations respond more effectively and demonstrate accountability during a regulatory investigation.

Read More »
Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation