The two-year review of the General Data Protection Regulation (GDPR) has found that it has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.

Harmonisation across EU member states is increasing but there is a certain level of fragmentation that must be continually monitored, according to the report, which also includes a number of recommendations for improving compliance.

An adequacy assessment is being carried out to establish whether the UK’s data protection standards match the EU’s, which was thrown into doubt earlier this year after Prime Minister Boris Johnson suggested in February that the UK would “develop separate and independent policies” on areas including data protection.

Adequacy “plays an important role in the context of the future relationship with the United Kingdom, provided that the applicable conditions are met”, the report states.

“It constitutes an enabling factor for trade, including digital trade, and an essential prerequisite for a close and ambitious cooperation in the area of law enforcement and security. Moreover, a high degree of convergence in data protection is an important element for ensuring a level playing field between two so closely integrated economies.”

Commenting on the report, Věra Jourová, vice-president for values and transparency, said: “Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we are building other polices, such as data strategy or our approach to AI.

“The GDPR is the perfect example of how the European Union, based on a fundamental rights’ approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. But we all must continue the work to make GDPR live up to its full potential.”

Didier Reynders, commissioner for justice, said: “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today’s report shows.

“For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights.

“The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with member states, so that the GDPR can deliver its full potential.”