UK’s proposed new data protection law

ByRob Bratby Posted on Telecoms regulation, Countries, Data Protection, Government policy, Regulatory action, UK

UK data protection law: key proposed changes

What is proposed?

On 10 September 2021, the UK government published its proposals to reform UK data protection law. Whilst current UK data protection law in the form of UK GDPR mirrors EU data protection law, the proposals represent the UK government seizing the opportunity given by Brexit to set separate UK rules for data protection. Their objective, set out in the ministerial forward is to:

“…create a more pro-growth and pro-innovation data regime whilst maintaining the UK’s world-leading data protection standards.”

Oliver Dowden, (the then) Secretary of State for Digital, Culture, Media and Sport

Policy objectives

In more detail, the proposals seek to:

  1. Support vibrant competition and innovation to drive economic growth
  2. Maintain high data protection standards without creating unnecessary barriers to responsible data use
  3. Keep pace with the rapid innovation of data-intensive technologies
  4. Help innovative businesses of all sizes to use data responsibly without undue uncertainty or risk, both in the UK and internationally
  5. Ensure the ICO is equipped to regulate effectively in an increasingly data-driven world

Regulatory principles

The Government explains that its decisions will be guided by the following principles:

  1. The UK’s data protection regime should create a net benefit for the whole of the UK, unlocking new economic opportunities both at home and abroad, and keeping our society safe and secure
  2. The UK’s data protection regime should be future-proofed with a responsive framework that enables responsible innovation and a focus on privacy outcomes that avoids imposing any rules today that become obsolete as the technological landscape evolves
  3. The UK’s data protection regime should deliver a high standard of data protection for citizens whilst offering organisations flexibility in determining how to comply most effectively
  4. Organisations that comply with the UK’s current regime should still be largely compliant with our future regime, except for only a small number of new requirements
  5. The government’s approach to data protection should actively take into account the benefits of responsible use of personal data, while proactively maintaining public trust in such uses
  6. Effective, risk-based and preventative supervision is critical to realising a pro-growth and trusted data regime, and the ICO’s world-leading status as the UK’s independent data protection regulator should be sustained

Consultation questions

The document then seeks views on a range of potential measures, grouped by the five policy objectives and informed by the regulatory principles.

The consultation closed on 19 November 2021.

Update: the Data (Use and Access) Act 2025

The 2021 consultation described above led to the Data Protection and Digital Information Bill, first introduced to Parliament in July 2022. That Bill was withdrawn after the change of government in 2024. The incoming government introduced a revised Bill, the Data (Use and Access) Bill, which received Royal Assent on 19 June 2025 as the Data (Use and Access) Act 2025.

The Act does not replace UK data protection law. The UK GDPR and Data Protection Act 2018 remain the primary legislative framework. Instead, the Act makes targeted amendments to existing UK data protection law, with provisions being commenced in stages over 2 to 12 months following Royal Assent.

Key changes to UK data protection law

The Act introduces several changes relevant to organisations subject to UK data protection law. These include a new explicit requirement to consider children’s needs when providing online services that children are likely to use, clarification of time limits for responding to subject access requests (including a new “stop the clock” mechanism where organisations need further information from the requester), and reforms to the law enforcement data processing regime.

The Act also introduces a recognised legitimate interest basis for processing, allowing organisations to rely on specific pre-approved legitimate interests without conducting a balancing test. Other provisions address senior responsible individuals replacing data protection officers in certain contexts, changes to international transfer mechanisms and reforms to the ICO’s structure and enforcement powers.

What this means for UK data protection law compliance

Organisations subject to UK data protection law should review their data protection compliance programmes as commencement regulations are published. The changes are evolutionary rather than revolutionary: the fundamental principles of UK data protection law remain intact, but the practical requirements for compliance are shifting. Businesses operating across UK and EU jurisdictions will need to track divergence between the two regimes carefully.

Subscribe below to receive new Bratby Law articles direct to your inbox. For specific advice, contact Rob Bratby at Bratby Law.

Select topics of interest

Similar Posts