Replacing the UK GDPR


On 3 October, at the Conservative Party conference (the “Conference”), the UK government outlined a revised plan for its reform of the UK General Data Protection Regulation (“GDPR”). Organisations can expect the UK government to propose amendments to the Data Protection and Information Bill (the “Bill”) or to restart the process of reform altogether.


The UK’s current data protection regime is largely based on European Union (“EU”) regulation, following the incorporation of the EU GDPR into domestic law as the UK GDPR. In its 2021 consultation, Data: a new direction, and following the UK’s departure from the EU, the UK government introduced the Bill to Parliament in July 2022, proposing a range of reforms to the UK GDPR.

new data protection regime

During her speech, Michelle Donelan, the Secretary of State for Digital, Culture, Media and Support, stated that the current UK data protection regime limited “the potential of (UK) businesses”, and that the new regime will be the UK’s “own business and consumer-friendly British data protection system”. Donelan stated that the new data protection framework would “protect consumer privacy”, whilst retaining “data adequacy so that businesses can trade freely”, specifically referencing the burden that smaller organisations face in complying with the UK GDPR.

The UK government’s rhetoric surrounding the new regime suggests that it may diverge even further from the EU GDPR than the Bill. If the Bill is any indication as to how the UK government intend to diverge, it is likely that the new regime will include:

  • changes to the accountability framework, including alternatives to data protection impact assessment requirements;
  • changes to data subject access requests, to bring such requests in line with the UK’s freedom of information regime;
  • changes to the requirements for international data transfers; and
  • reform of the ICO and its powers.

divergence from the eu gdpr

Whilst a simpler protection regime is likely to be welcomed by organisations in the UK, significant divergence from the EU GDPR may result in additional complexities for those organisations who need to comply with both UK and EU data protection laws. Central to the EU and UK’s data protection regimes are the requirements surrounding the transfer of EU or UK personal data, respectively, to those countries deemed not to have an “adequate” data protection regime in place.

As it stands, the European Commission has ruled the UK data protection framework as “adequate”, which means that personal data may flow freely from the EU to the UK without the need for additional transfer safeguards. The UK’s current adequacy status will be reviewed in 2024.

Divergence from the EU GDPR in the UK’s proposed new regime may result in the UK losing its adequacy status, which is heavily relied on by UK organisations that transfer personal data from the EU to the UK. Where organisations process both EU and UK personal data, any divergence between the two regimes is likely to result in an increase to their data protection obligations and the requirement to ensure compliance with two sets of regimes. This could be costly and time consuming and will require cross-border organisations to keep abreast of developments under both regimes.

next steps

The current UK government are yet to release details as to the proposed new data protection regime. However, it is very likely that the UK’s data protection framework will see reform in 2023. Once details of the new regime are released, organisations will need to take a fresh look at the data protection they have in place and make changes to ensure compliance with any new requirements. Cleveland & Co can assist you in making this assessment, putting in place any relevant documentation, and ensuring compliance with both the UK and EU regimes.

For more information on the future of UK financial services regulation and any guidance or advice, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.

Please click here to follow us on LinkedIn to receive the latest information on this and other important topics!



Leave a reply

Your email address will not be published. Required fields are marked *



We'd love to hear from you, please get in touch with us if you have any questions.


©2023 Cleveland & Co

Log in with your credentials

Forgot your details?