Brexit, Harmonization & the Goals of the GDPR

Domain one closes with the question of why the GDPR exists at all, and the answer is right there in Article 1. The GDPR has two goals, and they pull in opposite directions. First, it protects the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.

Second, it ensures the free movement of personal data within the Union. In other words, Europe wants to protect people and keep data flowing for the single market. Recital 4 even reminds us that the right to data protection is not absolute; it must be balanced against other rights and interests.

Whenever the exam frames a scenario as a balancing act, that balance is baked into the GDPR's purpose.

We touched on harmonisation last time; here is why it matters to the exam's framing of Domain one. Under the old directive, a company operating across Europe faced up to twenty-eight different national laws, which raised cost and legal uncertainty and weakened individuals' rights in some states. By choosing a single regulation, the EU gave businesses one standard to meet and gave individuals a consistent set of rights wherever they live in the Union.

The GDPR even builds in a consistency mechanism and a single lead authority for cross-border cases, which we will study in Domain four, precisely to stop the regulators from drifting apart again. Harmonisation is both the rationale and the recurring theme.

The Body of Knowledge specifically flags Brexit as a challenge to harmonisation, so let's be precise. When the United Kingdom left the EU, the GDPR no longer applied to it directly. The UK retained the text as the so-called UK GDPR, sitting alongside its Data Protection Act 2018, creating a separate but closely aligned regime.

The European Commission granted the UK an adequacy decision so data can keep flowing, but that decision is subject to review and could lapse if UK law diverges too far. One practical point for this course: we sometimes cite the UK's Information Commissioner's Office, the ICO, because its guidance is clear and public, but remember the ICO is the UK regulator, not an EU supervisory authority, and UK law is now its own thing. Do not treat ICO positions as binding EU law.

It is worth restating one idea from earlier because it shapes how the whole exam reasons. In Europe, data protection is not merely a feature of consumer or contract law; under Article 8 of the Charter it is a standalone fundamental right, and that right includes the guarantee of independent oversight by a supervisory authority. That framing explains why European law insists on regulators with real powers, on lawful bases for every processing activity, and on rights individuals can exercise directly.

When you hit a tricky exam question, ask yourself: what protects the data subject's fundamental right here? That question often points you to the best answer. It is also why European law tends to favour the individual when interests are finely balanced: the fundamental-rights framing tilts the scales toward protection, and the exam's reasoning follows that tilt more often than not.

Let's talk strategy for this domain. Domain one carries roughly seven to thirteen scored questions, and many are straightforward fact recall: which institution proposes legislation, what Convention 108 did, the difference between the ECHR and the Charter. The traps are the look-alikes we have drilled, the three Councils, and the two Article 8s.

Know your rough dates: the European Convention on Human Rights in nineteen fifty, Convention 108 in nineteen eighty-one, the old directive in nineteen ninety-five, the GDPR adopted in twenty sixteen and applicable from twenty eighteen. You do not need to memorise exact days, but a loose timeline helps you reject wrong answers quickly.

So Domain one comes down to this. The GDPR exists to balance two goals, protecting people's fundamental rights and enabling the free flow of data, expressed in Article 1. Harmonisation under a single regulation is the rationale, and Brexit is the live stress test of how far a country can diverge.

And underneath it all, data protection is a standalone fundamental right under Charter Article 8. With the foundations set, we now move into the heaviest part of the exam, Domain two, starting with the definitions that the entire GDPR is built on: personal data, controller, processor, and data subject. First, go take the Domain one practice test.