Iubenda logo
Start generating


Table of Contents

UK GDPR Post Brexit Updates

Please note that this Bill is not in force yet; iubenda will keep you informed of any changes and our products will be aligned with any updates made.

GDPR Post Brexit

Update: The UK government released a proposal for different laws and guidelines for AI and machine learning. See here for more on the UK Data Reform Bill and AI Regulation.

Following a public consultation, the UK has released details of its proposed Data Reform Bill, which will alter the privacy framework in the UK’s post-Brexit version of the GDPR

The revisions include, among other things, a revamp of the national DPA (ICO) and a restriction on the number of rules that can be applied to: 

  • cookies;
  • DPO meetings; and 
  • the need to conduct DPIAs.

The UK government has long claimed that the GDPR’s lack of clarity made obtaining consent from individuals

“a box-ticking process”

with the current approach disproportionately burdening small enterprises.

The government has intimated that the Data Reform Bill will eliminate the requirement for organizations to obtain explicit consent before processing personal data on every occasion; however, it hasn’t specified how this will be implemented. The new data protection guidelines, however, will be based on results rather than the letter of the law, according to the report.

  1. The Bill will target pop-up cookie consent boxes. 
  2. An opt-out mechanism will be adopted as part of the new ideas, with the goal of minimizing the requirement for users to click through consent banners on every page.
  3. The Bill eliminates the balancing criteria for data usage based on a list of legitimate interests. When an interest appears on the list, it will be regarded as legitimate.

“The government emphasizes the need to remove unnecessary barriers to cross-border data flows, notably by advancing an ambitious program of sufficiency evaluations,” according to the report.

The United Kingdom has expressed a desire to form new data partnerships with countries such as the United States, Australia, Singapore, and the Republic of Korea. This has raised concerns in Brussels; if EU-UK data flows continue in lockstep, EU citizens’ data may be transferred to third countries with relaxed privacy standards.

Additionally, nuisance call companies might face fines of up to £17.5 million. The maximum financial penalty for cold callers will be increased from £500,000 in accordance with the GDPR (PECR).

Some organizations will not need to designate a data protection officer (DPO) or complete data protection impact assessments (DPIA) when developing new products or services under this new method.

On the other hand, organizations will still need to implement a privacy management program to guarantee they are held accountable for handling personal data.

See also