Four years on, how's UK GDPR holding up?
While some SMBs are struggling, most have stepped up to the mark in terms of data governance policies
It's been four years since the UK General Data Protection Regulation (GDPR) came into force after the UK left the European Union (EU).
However, while the UK legislation remains aligned with that of the EU, it gives the UK the independence to keep the framework under review.
Like the EU GDPR, the UK version places requirements on organizations that process personal data, based on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality and accountability.
Charlie Bromley-Griffiths, senior legal counsel at legal document management software form Conga, said that while the legislation has delivered marked benefits, lingering issues remain.
"Over the last four years, UK businesses have made substantial strides in aligning with UK GDPR requirements. Companies have implemented stronger data governance policies, enhanced security protocols and prioritized the rights of data subjects," Bromley-Griffiths said.
"However, challenges still remain, particularly for small and medium-sized enterprises struggling with the complexity and cost of full compliance. GDPR mandates stringent measures to safeguard consumer data, which includes data storage, processing and transfer practices, all of which impacts organizations’ data strategies and operational costs."
Brexit has also caused issues with regard to the transfer of personal data between the UK and the European Economic Area (EEA), along with UK controllers who have an establishment or customers in the EEA, or who monitor individuals in the area.
While the EU GDPR still applies to this processing, the way organizations interact with European data protection authorities has changed.
"The international data landscape is now rather complex. UK businesses handling data from the European Union (EU) must also comply with the EU GDPR," said Bromley-Griffiths.
"Then, of course, there is the US-UK data bridge, which forms part of the EU-US Data Privacy Framework and permits the flow of EU-based data to the United States under certain conditions."
All this, she said, highlights the importance of maintaining two or more compliance strategies to make sure operations across borders go smoothly – and, ultimately, keep the trust of customers, reassuring them that their data is safe.
RELATED WHITEPAPER
Looking ahead, Bromley-Griffiths expects regulatory bodies to look at cracking down harder on repeat offenders or businesses that have suffered significant data breaches.
Meanwhile, the UK GDPR is likely to be amended, with the introduction last October of the Data Use and Access Bill in the House of Lords. With this bill, and in future, the UK is unlikely to diverge significantly from EU legislation.
It currently enjoys 'data adequacy' with the EU, meaning that personal data can be transferred freely between the two. If this were lost, it could be an economic disaster.
However, more minor changes, said Bromley-Griffiths, could be on the cards.
"Given how quickly cyber threats are evolving, the UK GDPR standards may be updated. Businesses need to have the appropriate tools and measures in place to ensure that they are ready to adapt to any legislative changes," she said.
"Organizations must remain committed to investing in their employee’s ongoing education but also in the right technology to safeguard personal data."
-
Microsoft unveils Maia 200 accelerator, claiming better performance per dollar than Amazon and GoogleNews The launch of Microsoft’s second-generation silicon solidifies its mission to scale AI workloads and directly control more of its infrastructure
-
Infosys expands Swiss footprint with new Zurich officeNews The firm has relocated its Swiss headquarters to support partners delivering AI-led digital transformation
-
26% of privacy professionals expect a “material privacy breach” in 2026 as budget cuts and staff shortages stretch teams to the limitNews Overworked, underfunded privacy teams are being left hung out to dry by executives
-
EU lawmakers want to limit the use of ‘algorithmic management’ systems at workNews All workplace decisions should have human oversight and be transparent, fair, and safe, MEPs insist
-
Data (Use and Access) Act comes into forcenews Organizations will be required to have an effective data protection complaints procedure and fulfil new requirements for online services that children are likely to use
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
UK businesses patchy at complying with data privacy rulesNews Companies need clear and well-defined data privacy strategies
-
GDPR fines might’ve dipped last year, but don’t get complacent – personal liability risks are risingNews A decrease in big GDPR fines doesn’t mean it’s plane sailing for enterprises in 2025
