Navigating Risk Horizons

Amendments to the UK's Data Protection regime

"A padlock graphic.

2024 will see data protection and compliance back in the spotlight, and on the corporate agenda, following the reintroduction of the Data Protection and Digital Information Bill (DPDI) in March 2023.  The bill seeks to amend the existing UK GDPR and Data Protection Act 2018 and aims to simplify and update the UK's data protection regime, creating more flexibility, whilst continuing high data protection standards.

Some concerns have been raised that the changes proposed by the DPDI may weaken an individual's data protection rights. However, according to briefing notes issued by the Prime Minister's Office at the time of the King's Speech in 2023,  the DPDI has been designed to maximise post-Brexit freedoms to "boost the economy and unleash innovation"; create an innovative and flexible data protection regime which will boost the economy by £4.7 billion over 10 years; reduce burdens on businesses (especially SMEs) and researchers; and enable innovations that advance the health and prosperity of society.  

The bill seeks to meet these ambitious goals by, for example, allowing businesses to adopt more proportionate and practical ways to protect personal data, establishing a framework for secure digital verification services, facilitating "smoother, cheaper online transactions," and enabling "smart data" (the secure sharing of customer data with authorised third-party providers, at the customer's request) schemes across the country. 

There are also specific plans for the clarification of the rules around using personal data for scientific research, and the improved use of data in the delivery of health and social care, law enforcement, security, and other government services. 

The regime will aim to maintain high international data protection standards, ensuring businesses can trade freely with global partners like the EU, whilst ensuring ease when striking new data bridges with trusted international partners, boosting trade, and market access for UK businesses. 

By ensuring they are given powers to tackle organisations who breach data rules, the Information Commissioner’s Office (ICO) will also be able to better allocate its resources and be accountable to Parliament and the public. In this way, the regime is said to better protect people by “strengthening and modernising” the regulator. 

While it has been anticipated that the bill would be made law in 2024, the precise timing is as yet unknown. The bill is currently under consideration in the House of Lords and there may be further revisions in due course.

Businesses with UK operations will need to be alive to the potential changes being introduced if the bill becomes law and, importantly, areas of divergence from the GDPR. Those that operate solely in the UK are likely to find that their obligations will become less onerous, meaning that businesses will ultimately be able to save time and money that is currently being spent on GDPR compliance. 

However, those businesses will still need to consider what, if any, changes need to be made to internal policies and procedures. Multinationals with operations in both the UK and the EU/EEA will continue to have GDPR obligations and should begin considering their intended approach. Maintaining GDPR-compliant policies and processes across the board may be sensible for the purposes of simplicity and efficiency.


Our lawyers are experts in their fields. Through commentary and analysis, we give you insights into the pressures impacting business today.