UK data protection law

The General Data Protection Regulation (“GDPR”) came into force with direct effect in the European Union on 25 May 2018 and heralded a step change in data protection law throughout the region. The GDPR continues to apply in the UK following Brexit as the “UK GDPR”, supplemented by the Data Protection Act 2018 ("DPA").

The UK GDPR came into effect on 1 January 2021 and is largely consistent with the provisions of the GDPR, with necessary changes to reflect the impact of Brexit and so that the UK GDPR could operate within a UK-context. Now the UK has set forth an ambitious plan of legislative reform affecting the processing of personal and non-personal data.

For more information on the GDPR and the UK GDPR and what steps your business might need to take, look at our overview here.

Future of UK Data Protection

UK Data Protection Law Reform  

After the previous government failed to pass the Data Protection and Digital Information (No.2) Bill, on 17 July 2024, a new Digital Information and Smart Data Bill was announced during the King's speech. The Bill has not been tabled before UK Parliament yet. From the background briefing for the King's Speech, specifically on data protection, there are proposals to support data use for scientific research, modernisation and strengthening the Information Commissioner's Office and targeted reforms that still aim to maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies.

Relationship of EU and UK Law

Organisations that process data in the EU and the UK may now be subject to both the EU GDPR and the UK GDPR and any future iterations of the UK Data Protection regime. To ensure compliance with all applicable data protection laws, it is vital that organisations:

  • take stock of their data protection practices
  • understand the impact of data protection law on their business
  • take any necessary action.

For now data sharing between the UK and EU is secure following the European Commission adopting two adequacy decisions in relation to the UK which allow for the continued flow of personal data between the UK and the EU (for more information on these decisions, please see our article here. The UK has similarly adopted an adequacy decision in respect of the EU. Moving forward, any changes to the UK data protection regime may affect the EU's adequacy decision and businesses need to maintain awareness around their ability to provide for changes affecting the free flow of data between the UK and EU.