Law: The primary pieces of legislation are the Data Protection Act 2004 (as amended in 2021) (the Act) and the Gibraltar General Data Protection Regulation (Gibraltar GDPR)

Regulator: The Gibraltar Regulatory Authority (GRA)

Summary: Gibraltar implemented the GDPR in 2019 through the Data Protection Act (the Act). The Act is enforced by the Gibraltar Regulatory Authority (GRA). Following the end of the 11-month transitional Brexit period during which the UK and Gibraltar continued to be subject to EU rules, Gibraltar enacted the Gibraltar General Data Protection Regulation (Gibraltar GDPR) on January 1, 2021, which is essentially the EU GDPR read with minor modifications such as regarding territorial scope and the competent supervisory authority.

The GRA has been particularly active in issuing guidance and has addressed topics including GDPR-compliant privacy notices, the relationship between emerging technologies, such as blockchain, and data protection, as well as general concerns such as data security. In addition, privacy regulation in Gibraltar has a particular focus on gambling operations due to the prevalence of the industry in Gibraltar.