It's been four years since the UK General Data Protection Regulation (GDPR) came into force after the UK left the European Union (EU).
However, while the UK legislation remains aligned with that of the EU, it gives the UK the independence to keep the framework under review.
Like the EU GDPR, the UK version places requirements on organizations that process personal data, based on seven principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality and accountability.
Charlie Bromley-Griffiths, senior legal counsel at legal document management software form Conga, said that while the legislation has delivered marked benefits, lingering issues remain.
"Over the last four years, UK businesses have made substantial strides in aligning with UK GDPR requirements. Companies have implemented stronger data governance policies, enhanced security protocols and prioritized the rights of data subjects," Bromley-Griffiths said.
"However, challenges still remain, particularly for small and medium-sized enterprises struggling with the complexity and cost of full compliance. GDPR mandates stringent measures to safeguard consumer data, which includes data storage, processing and transfer practices, all of which impacts organizations’ data strategies and operational costs."
Brexit has also caused issues with regard to the transfer of personal data between the UK and the European Economic Area (EEA), along with UK controllers who have an establishment or customers in the EEA, or who monitor individuals in the area.
While the EU GDPR still applies to this processing, the way organizations interact with European data protection authorities has changed.
"The international data landscape is now rather complex. UK businesses handling data from the European Union (EU) must also comply with the EU GDPR," said Bromley-Griffiths.
"Then, of course, there is the US-UK data bridge, which forms part of the EU-US Data Privacy Framework and permits the flow of EU-based data to the United States under certain conditions."
All this, she said, highlights the importance of maintaining two or more compliance strategies to make sure operations across borders go smoothly – and, ultimately, keep the trust of customers, reassuring them that their data is safe.
RELATED WHITEPAPER
Looking ahead, Bromley-Griffiths expects regulatory bodies to look at cracking down harder on repeat offenders or businesses that have suffered significant data breaches.
Meanwhile, the UK GDPR is likely to be amended, with the introduction last October of the Data Use and Access Bill in the House of Lords. With this bill, and in future, the UK is unlikely to diverge significantly from EU legislation.
It currently enjoys 'data adequacy' with the EU, meaning that personal data can be transferred freely between the two. If this were lost, it could be an economic disaster.
However, more minor changes, said Bromley-Griffiths, could be on the cards.
"Given how quickly cyber threats are evolving, the UK GDPR standards may be updated. Businesses need to have the appropriate tools and measures in place to ensure that they are ready to adapt to any legislative changes," she said.
"Organizations must remain committed to investing in their employee’s ongoing education but also in the right technology to safeguard personal data."
-
Jensen Huang joins Dell Technologies World virtually to talk servers and AI factoriesNvidia CEO virtually joined Michael Dell for the opening keynote of the 2025 conference to talk through a host of AI and server announcements
-
Dell Technologies wants to cut infrastructure costs – here's how it plans to do itNews Efficiency, power, and scalability are the name of the game for Dell’s infrastructure offerings
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
‘It’s your worst nightmare’: A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records – and experts warn it could’ve caused a disastrous data breachNews Robert Polet made a startling discovery after finding hard drives on sale for €5 each in a flea market.
-
Unlock profitability with Cove Data ProtectionWhitepaper Agile risk management starts with a common language
-
UK businesses patchy at complying with data privacy rulesNews Companies need clear and well-defined data privacy strategies
-
GDPR fines might’ve dipped last year, but don’t get complacent – personal liability risks are risingNews A decrease in big GDPR fines doesn’t mean it’s plane sailing for enterprises in 2025
-
Data privacy professionals are severely underfunded – and it’s only going to get worseNews European data privacy professionals say they're short of cash, short of skilled staff, and stressed
-
Where will AI take security, and are we ready?whitepaper Steer through the risks and capitalise on the benefits of AI in cyber security
-
Customer Stories - south west London integrated care board security assessment.whitepaper The rise in attacks has prompted trusts to check the health of their cyber security infrastructure and practices.
