Call us on +44 (0)20 7465 4300
30 June 2023

With the General Data Protection Regulation reaching its fifth anniversary this year, data privacy regulations are still far from settled

In her latest article for Law360, Sian Stephens data protection law expert in our Corporate Team, discusses the possibilities for the future of GDPR in the UK.

This is particularly in light of the U.K.’s future position on data privacy regulations since Brexit, the growing use of artificial intelligence and increasingly large fines for data breaches for some of the largest tech names, such as Meta Platforms Inc. and Inc.

So what did the GDPR change and bring to data protection, since it came into effect on May 25, 2018, as the biggest shake-up of European Union law in the data protection space so far? What trends have emerged since it was introduced five years ago, and what now for data privacy post-Brexit and the emergence of new technology?

As the U.K. looks to diverge from EU laws, the U.K. government has proposed a shake-up of the U.K.’s data protection laws. It is reintroducing the Data Protection and Digital Information Bill to Parliament, which will see changes to some of the key concepts that had been adopted under the GDPR.

The GDPR introduced new concepts that were not found in the previous EU Data Protection Directive implemented in the U.K. as the Data Protection Act 1998.[1]

These new concepts include the principle of accountability. This means that a data controller is responsible for what it does with personal data, and must be able to demonstrate compliance with the GDPR’s other six principles, namely:

  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Data minimization;
  • Accuracy;
  • Storage limitation;
  • Integrity and confidentiality, i.e., security.

Accountability is a principle that requires organizations to put in place appropriate technical and organizational measures, data privacy assessments and record-keeping.

Another concept is data protection by design. The U.K.’s data protection regulator, the Information Commissioner’s Office, has stated that there is a general obligation to implement appropriate technical and organizational measures to show that the principles of data protection have been considered and integrated into processing activities.

Data protection by design is when an organization embeds data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage.

Businesses have also been required to conduct data privacy impact assessments. This is a Sian Stephens new requirement under Article 35 of the GDPR as part of the protection-by-design principle, and is applied when:

using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. [2]


A data privacy impact assessment can be required when tracking a person’s location or behaviour, monitoring a public place on a large scale, processing special category data, making automatic decisions, or when processing children’s data.

For international data transfers, organizations are required to conduct a new data transfer impact assessment to assess local laws in countries that do not offer an adequate level of protection, known under the GDPR as third countries for the transfer of personal data internationally.

This has proven a difficult assessment to make as it requires comparisons between the GDPR and local laws, which could be in countries such as Australia or China.


GDPR Trends and Fines

As well as new concepts, the GDPR has made organizations large and small review what data they hold and how they are required to record it and keep it safe.

A loss of data could amount to a data breach or a breach of the GDPR, and incur fines of up to €20 million ($21.9 million) or 4% of global worldwide turnover, whichever is greater.

Organizations have been required to take various measures to ensure they are compliant with the GDPR, which involves implementing GDPR-compliant privacy policies. To demonstrate compliance, organizations should put in place a record of processing. This is a register of processing activities. Organizations should also put in place a data protection policy renamed in the GDPR as a privacy standard, which will set out how personal data is protected. Since the GDPR came into place there have been over 900 fines issued across the European Economic Area. Fines under the U.K. GDPR also keep increasing. The largest fines issued for a breach of the GDPR have been for some of the biggest international and tech companies such as Meta, Amazon, Clearview AI, Google LLC and British Airways, to mention a few.

The data protection authorities in the EU have issued around £1.64 billion ($2.08 billion) in fines since January 2022 and year on year, this is increasing with ad-tech and behavior advertising being a focus for enforcement action. In July 2021, the Luxembourg National Commission for Data Protection issued Amazon Europe Core S.a.r.l. with a fine for €746 million regarding infringements of Amazon’s advertising targeting system carried out without having in place GDPR-compliant consent.

Not too much is known about this case specifically, although Amazon has already appealed the fine on the basis of “there having been no data breach, and no customer data being exposed to any third party.” This could be true. Nevertheless, Amazon would not necessarily need to suffer a data breach to be in breach of the GDPR. The appeal will be heard in January 2024. Meta-owned Facebook received a fine of €265 million from the Data Protection Commission in Ireland for breach of the GDPR when personal data was made available for online hacking.

The data leaked is said to include people’s names, phone numbers, dates of birth and the location of users. The fine was for not applying the data protection by design and default principle. Developing and New Technology Facial recognition, virtual reality, AI and the internet of things continue to evolve together with the use of biomedical and genetic data. Biomedical and genetic data were both introduced as new types of special categories of personal data under the GDPR. With the continued use of special category data classed as more sensitive data, there is an increased risk of data breaches and fines if this data is not kept fully secure.

The leak or loss of this type of data is far more serious and safety concerns include this data being at higher risk of hacking and cybercrime. This is because the more a person scans their biometric data in different places the more access a hacker may have to it and the more this data could be misused. This data is high risk because a person cannot change their biometrics or genetic makeup and therefore if this is stolen it is compromised on a permanent basis. The internet of things is said to be the most misunderstood section of new technology when it comes to security as a number of these devices can be found in the home. Internet of things includes smart TVs, lights, fridges, robotic Hoovers and Alexa with access to an Amazon account, and each device works off this online internet system.

The internet of things has not put security at the forefront of its inventions and this has created problems when using this type of technology. As technology develops we expect to see more robust security emerging with internet of things devices. The Current Situation Post-Brexit When Brexit occurred, the U.K. adopted existing EU laws. The U.K. passed the European Union (Withdrawal) Act 2018 and this act created new domestic laws, called retained EU law. The U.K. implemented the U.K. GDPR upon Brexit as retained EU law.

At this time, the U.K. GDPR was identical to the EU GDPR. Post the Brexit transition period in January 2021, there was much discussion around whether the U.K. would receive an adequacy decision by the European Commission, or whether the U.K. would be deemed a third country and not achieve the adequacy status it so badly needed.

The U.K. needed to be deemed an adequate country for GDPR purposes to easily transfer data between the U.K. and EU without additional safeguards. Any requirement for additional safeguards would damage the U.K.’s business trade with the EU, and it has been estimated that it would cost the U.K. economy around £1 billion to £1.6 billion. In June 2021, a decision was granted to confirm the U.K.’s adequacy status with the EU. This meant that the U.K. was deemed an adequate country for the lawful transfer of personal data to the EU for four years from this time. The adequacy decision granted is set to expire in June 2025.

The Future of U.K. Data Protection Laws The Data Protection and Information Bill is set to change a few key GDPR concepts and requirements, such as necessitating organizations to conduct records of processing only when there is processing of high-risk data, which can be someone’s health data. There have also been proposals around changes to the appointment of a mandatory data protection officer, which would be changed to be a senior responsible individual, who will be accountable for data protection compliance. However, there will be no mandatory requirement to appoint a data protection officer.

John Edwards, the U.K. information commissioner, supports this bill and has stated that it will enable organizations to grow and innovate while maintaining high standards of data protection rights. The biggest question with regard to this bill is whether the U.K. will lose its adequacy status with the EU if it is implemented.

The new bill does not appear to be a radical change, and the loss of adequacy is more likely to arise from the U.K. making its own decisions on adequacy for current nonadequate countries, such as the U.S. and Australia. Only time will tell how this is going to work out, but one thing is clear — the U.K. needs to maintain its adequacy status with the EU at all costs — or at least until it is due to expire in 2025, to ensure the U.K. economy does not suffer financial loss and to enable the lawful transfer of personal data to the EU to continue without hindrance.

[1] EU Data Protection Directive (Directive 95/46/EC).

[2] GDPR, Art. 35: